From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id k1GJ3dXf001257 for ; Thu, 16 Feb 2006 14:03:39 -0500 (EST) Received: from mail.gurulabs.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id k1GJ2ETW021014 for ; Thu, 16 Feb 2006 19:02:14 GMT Received: from station201.example.com (training-nat-pool-sfbay.redhat.com [66.187.237.199]) by mail.gurulabs.com (Postfix) with ESMTP id 3DBBAFB249 for ; Thu, 16 Feb 2006 12:03:39 -0700 (MST) From: "Lamont R. Peterson" To: SELinux Subject: Re: [RFC][PATCH] collect security labels on user processes generating audit messages Date: Thu, 16 Feb 2006 12:03:27 -0700 References: <200602151122.37945.sgrubb@redhat.com> <43F36244.7040000@hp.com> In-Reply-To: <43F36244.7040000@hp.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3842437.5DJgcBTlJy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Message-Id: <200602161203.31552.lrp@xmission.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --nextPart3842437.5DJgcBTlJy Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 15 February 2006 10:17am, Linda Knippers wrote: > Steve Grubb wrote: > > This should be a separate thread since the topic is different. > > > > On Wednesday 15 February 2006 11:14, Linda Knippers wrote: > >>Amy submitted a patch a while back to eliminate the "name=3D" field > >>to avoid "name=3D(null)" from the audit records if there was no name > >>but I don't think the patch went anywhere. > > > > Right. I want all audit fields to have name=3Dvalue. If we have %s in t= he > > message and pass NULL to it, snprintf is already going to put "(null)" = so > > what's wrong with just using this precedent? > > The problem is that "(null)" is a valid file name. > > [ljk@cert-e2 ~]$ touch "(null)" > [ljk@cert-e2 ~]$ ls -l "(null)" > -rw-rw-r-- 1 ljk ljk 0 Feb 17 11:14 (null) > > When I look at audit records generated by those commands I see records > like this: > > type=3DSYSCALL msg=3Daudit(1140192875.311:3789): arch=3Dc000003e syscall= =3D132 > success=3Dyes exit=3D0 a0=3D7fbffffc51 a1=3D0 a2=3D1b6 a3=3D0 items=3D1 p= id=3D2116 > auid=3D501 uid=3D501 gid=3D501 euid=3D501 suid=3D501 fsuid=3D501 egid=3D5= 01 sgid=3D501 > fsgid=3D501 comm=3D"touch" exe=3D"/bin/touch" > type=3DCWD msg=3Daudit(1140192875.311:3789): cwd=3D"/home/ljk" > type=3DPATH msg=3Daudit(1140192875.311:3789): name=3D"(null)" flags=3D1 > inode=3D6537222 dev=3Dfd:01 mode=3D0100664 ouid=3D501 ogid=3D501 rdev=3D0= 0:00 > > How can I tell from the audit records that the file name was "(null)" > vs. having "(null)" manufactured by the audit system? How about: type=3DPATH msg=3Daudit(1140192875.311:3789): name=3DNULL flags=3D1 in cases where it truly is NULL? =A0The double-quotes "" are used to quote= =20 file-names and without them, we have some kind of meta-value, instead. [snip] =2D-=20 Lamont R. Peterson [ http://www.xmission.com/~lrp/ ] --nextPart3842437.5DJgcBTlJy Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBD9MyDXRMonBfx/74RAuxcAJ4pZBThKc4uMTzVvuFFF0uXC8IfwQCfTjId uyUAsW4cTHlmRP3HBgzKo1E= =72ai -----END PGP SIGNATURE----- --nextPart3842437.5DJgcBTlJy-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.