From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
Subject: Re: [RFC 1/1] NetLabel: add audit support for configuration changes
Date: Thu, 28 Sep 2006 10:27:08 -0400
Message-ID: <451BDBBC.2040301@hp.com>
References: <20060926205722.828559000@hp.com>
	<20060926205727.820094000@hp.com> <45199FB6.4050009@hp.com>
	<200609270921.48737.paul.moore@hp.com> <451B028B.7040404@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k8SERNXL026471
	for <linux-audit@redhat.com>; Thu, 28 Sep 2006 10:27:23 -0400
Received: from atlrel9.hp.com (atlrel9.hp.com [156.153.255.214])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k8SERHcE022695
	for <linux-audit@redhat.com>; Thu, 28 Sep 2006 10:27:17 -0400
Received: from smtp2.fc.hp.com (smtp2.fc.hp.com [15.11.136.114])
	by atlrel9.hp.com (Postfix) with ESMTP id 3B68534E6E
	for <linux-audit@redhat.com>; Sun, 22 Oct 2006 12:57:24 -0400 (EDT)
In-Reply-To: <451B028B.7040404@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Linda Knippers wrote:
> Thanks for sending the audit records.
>
>> # netlabelctl unlbl accept on
>>
>>type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl 
>>action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"  
>>exe="/usr/local/sbin/netlabelctl"
>>
>> (there is also an audit message for "unlbl accept off" which changes
>>  "action=accept" to "action=deny")
>  
> One nit-picky comment is that once the user-space tools know about the
> message type and insert "MAC_UNLBL_ACCEPT" as the type, the module=
> and action= fields will be somewhat redundant.  I think the same is
> true for the other types of audit records.  You could omit the switch
> statement in netlbl_audit_start_common() and shorten the audit records
> if we rely on the audit record type to provide that module/action information.

I've received similar comments from others as well, I plan on dropping
those two fields in the next release of the patch.  Speaking on which, I
should have the next release out later today, I'm just waiting on some
feedback to see if it meets all of the LSPP certification requirements.

-- 
paul moore
linux security @ hp