Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-audit@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting
Date: Tue, 22 Nov 2016 15:13:40 -0500	[thread overview]
Message-ID: <1612970.M9BsOE2y15@x2> (raw)
In-Reply-To: <8fc7f4df-3c1a-3c5b-ceb9-67b140383ee7@tycho.nsa.gov>

On Tuesday, November 22, 2016 2:47:15 PM EST Stephen Smalley wrote:
> >> At present, we only generate AUDIT_MAC_STATUS, AUDIT_MAC_LOAD, and
> >> AUDIT_MAC_CONFIG_CHANGE on success (or at least partial success).  If
> >> you truly need to audit failures, then it seems like you either need to
> >> a) do it through syscall audit filters, which already provide a success=
> >> field
> > 
> > I can't imagine what to audit on. There is an open syscall that has a
> > path. But I suspect that does not fail because policy has not be written.
> > There is a write syscall but triggering on that is pretty generic. This is
> > not ideal.
>
> Can't you write an audit syscall filter or watch on
> /sys/fs/selinux/load?  Ditto for /sys/fs/selinux/enforce,
> /sys/fs/selinux/commit_pending_bools, etc.

Yes, you can. But this is for the open syscall. sel_write_load() is the 
function where the auditing is done but its mapped to the .write member of 
sel_load_ops. Auditing on write is not a good thing.

So, if AUDIT_MAC_POLICY_LOAD must only appear when there is success, then its 
best to create a second event for failure and hard code the 'res' fields for 
both.

-Steve

WARNING: multiple messages have this Message-ID (diff)

From: Steve Grubb <sgrubb@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Paul Moore <paul@paul-moore.com>,
	linux-audit@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting
Date: Tue, 22 Nov 2016 15:13:40 -0500	[thread overview]
Message-ID: <1612970.M9BsOE2y15@x2> (raw)
In-Reply-To: <8fc7f4df-3c1a-3c5b-ceb9-67b140383ee7@tycho.nsa.gov>

On Tuesday, November 22, 2016 2:47:15 PM EST Stephen Smalley wrote:
> >> At present, we only generate AUDIT_MAC_STATUS, AUDIT_MAC_LOAD, and
> >> AUDIT_MAC_CONFIG_CHANGE on success (or at least partial success).  If
> >> you truly need to audit failures, then it seems like you either need to
> >> a) do it through syscall audit filters, which already provide a success=
> >> field
> > 
> > I can't imagine what to audit on. There is an open syscall that has a
> > path. But I suspect that does not fail because policy has not be written.
> > There is a write syscall but triggering on that is pretty generic. This is
> > not ideal.
>
> Can't you write an audit syscall filter or watch on
> /sys/fs/selinux/load?  Ditto for /sys/fs/selinux/enforce,
> /sys/fs/selinux/commit_pending_bools, etc.

Yes, you can. But this is for the open syscall. sel_write_load() is the 
function where the auditing is done but its mapped to the .write member of 
sel_load_ops. Auditing on write is not a good thing.

So, if AUDIT_MAC_POLICY_LOAD must only appear when there is success, then its 
best to create a second event for failure and hard code the 'res' fields for 
both.

-Steve

next prev parent reply	other threads:[~2016-11-22 20:13 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-21 17:30 [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting Steve Grubb
2016-11-21 21:50 ` Paul Moore
2016-11-21 21:50   ` Paul Moore
2016-11-21 22:51   ` Steve Grubb
     [not found]   ` <CAHC9VhSYkymKzvbOW1vkZ_Ae=VGZc8TcMKimyXO0iO7e6M8GzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-22 13:56     ` Stephen Smalley
2016-11-22 13:56       ` Stephen Smalley
2016-11-22 14:28       ` Steve Grubb
2016-11-22 14:28         ` Steve Grubb
2016-11-22 14:55         ` Stephen Smalley
2016-11-22 14:55           ` Stephen Smalley
2016-11-22 18:53           ` Lenny Bruzenak
2016-11-22 18:53             ` Lenny Bruzenak
2016-11-22 19:39           ` Steve Grubb
2016-11-22 19:39             ` Steve Grubb
2016-11-22 19:47             ` Stephen Smalley
2016-11-22 19:47               ` Stephen Smalley
2016-11-22 20:13               ` Steve Grubb [this message]
2016-11-22 20:13                 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1612970.M9BsOE2y15@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.