Permission denied when adding audit rule in audisp plugin

Question

I'm trying to write an audisp plugin on a Linux CentOS 7 VM. Instead of statically setting the audit rules via /etc/audit/rules.d/, I wanted to add rules dynamically in the plugin using libaudit interfaces (based on some system settings).

My code looks somewhat like the following:

int fd_audit = audit_open(); // this is successful if (audit_is_enabled(fd_audit) <= 0) audit_set_enabled(fd_audit, 1); // "Permission denied" error given } else { // set some rules }

The problem I'm facing is with audit_set_enabled() function, as permission is denied, when SELinux is enforcing. When SELinux is permissive, audit_set_enabled() returns a successful status but adding audit rule still fails.

I tried looking out for avc denied messages but can't seem to find any.

Any help or advice is welcome.

score 1 · Answer 1 · answered Nov 12 '18 at 09:29

1

Managed to solve above problem by disabling "don't audit" rules with sudo semodule -DB.

Then I was able to get AVC logs and fix the sepolicy rules with audit2allow. Seems I was missing netlink_audit_socket { read write } access rights.

answered Nov 12 '18 at 09:29

Nickleman

21
3

Permission denied when adding audit rule in audisp plugin

1 Answers1