From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
Subject: NetLabel audit messages
Date: Fri, 22 Sep 2006 13:38:44 -0400
Message-ID: <45141FA4.5070901@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k8MHco45027226
	for <linux-audit@redhat.com>; Fri, 22 Sep 2006 13:38:50 -0400
Received: from atlrel6.hp.com (atlrel6.hp.com [156.153.255.205])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k8MHcotP015863
	for <linux-audit@redhat.com>; Fri, 22 Sep 2006 13:38:50 -0400
Received: from smtp2.fc.hp.com (smtp2.fc.hp.com [15.11.136.114])
	by atlrel6.hp.com (Postfix) with ESMTP id E6D9134778
	for <linux-audit@redhat.com>; Fri, 22 Sep 2006 13:38:44 -0400 (EDT)
Received: from [16.116.113.207] (flek.zko.hp.com [16.116.113.207])
	by smtp2.fc.hp.com (Postfix) with ESMTP id 9A18A798F2
	for <linux-audit@redhat.com>; Fri, 22 Sep 2006 17:38:44 +0000 (UTC)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


In order to meet certain certification requirements, the NetLabel kernel
subsystem needs to write a small number of audit messages.  From what I
can tell this is going to require a new message type as well as
agreement on the content and formatting of the messages themselves.  Am
I missing anything?

For the new message type, I would like to propose the following:

 #define AUDIT_NLBL 1480


For the messages themselves, here is what I was thinking:

 "netlabel: <protocol> op=<operation> pid=<pid> tty=<tty> comm=<name>
            exe=<path> uid=<uid> auid=<auid> euid=<euid> suid=<suid>
            fsuid=<fsuid> gid=<gid> egid=<euid> sgid=<suid>
            fsgid=<fsuid> [<cipsov4 extras>|<managment extras>]"

 <protocol>         => cipsov4 | unlabeled | management

 <operation>        => (for protocol == cipsov4) add | del
                       (for protocol == unlabeled) accept | deny
                       (for protocol == management) map_add | map_delete

 <cipsov4 extras>   => doi=<DOI #> type=<DOI type>
  <DOI #>    => (CIPSO DOI value, i.e. unsigned 32-bit value)
  <DOI type> => std | pass

 <mangement extras> => domain=<domain> protocol=<protocol> [doi=<DOI #>]
  <domain>   => "(domain string, i.e. foo_t)" | default

Comments and suggestions are welcome.

-- 
paul moore
linux security @ hp