From: Joshua Brindle <method@manicmethod.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: russell@coker.com.au, Daniel J Walsh <dwalsh@redhat.com>,
selinux@tycho.nsa.gov, 503252-forwarded@bugs.debian.org,
Eric Paris <eparis@parisplace.org>
Subject: Re: policycoreutils: audit2allow -l doesn't work with dmesg pipe
Date: Fri, 27 Nov 2009 15:03:29 -0500 [thread overview]
Message-ID: <4B103091.3030306@manicmethod.com> (raw)
In-Reply-To: <1252419007.13634.346.camel@moss-pluto.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Mon, 2009-08-24 at 23:37 +1000, Russell Coker wrote:
>> On Mon, 24 Aug 2009, Daniel J Walsh<dwalsh@redhat.com> wrote:
>>>>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503252
>>>>> audit2allow -l is looking for the load_policy message which does not go
>>>>> to the dmesg, /var/log/messages. Therefore the tool has no idea when
>>>>> policy was last loaded.
>>>> That would be a kernel bug then.
>>> Well I believe the messages that are intercepted by the audit.log do not go
>>> into dmesg, by design. Although Steve, James or Eric could probably say for
>>> sure.
>> When auditd is not running on a Debian system with CentOS kernel
>> 2.6.18-92.1.13.el5xen or Debian/Lenny kernel 2.6.26-2-xen-686 then nothing
>> goes to the kernel message log which is interpreted by audit2allow as a
>> candidate for the "-l" functionality.
>>
>> It's OK if all the AVC messages go to the audit log and "dmesg|audit2allow -l"
>> gives no output. But if all AVC messages other than the load_policy message
>> go to the kernel message log then it's a bug.
>
> Originally audit2allow used the avc: allowed message generated by
> auditallow statement for load_policy to identify policy reloads. Later
> it was switched to use the MAC_POLICY_LOAD events generated by the audit
> framework. Those events should still get logged via printk if auditd is
> not running, but it appears that the code (audit_printk_skb) will then
> log the type= field as an integer rather than a string, and
> audit2allow/sepolgen only looks for the string MAC_POLICY_LOAD.
>
> So I suspect that this would be resolved by modifying sepolgen/audit.py
> to also match on type=1403 for load messages. Try this:
>
> diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
> index 4717dae..efcc40d 100644
> --- a/sepolgen/src/sepolgen/audit.py
> +++ b/sepolgen/src/sepolgen/audit.py
> @@ -314,7 +314,7 @@ class AuditParser:
> elif i == "security_compute_sid:":
> msg = ComputeSidMessage(line)
> found = True
> - elif i == "type=MAC_POLICY_LOAD":
> + elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
> msg = PolicyLoadMessage(line)
> found = True
> elif i == "type=AVC_PATH":
>
>
Merged in sepolgen 1.0.19
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2009-11-27 20:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-23 14:50 policycoreutils: audit2allow -l doesn't work with dmesg pipe Manoj Srivastava
2009-08-23 17:45 ` Daniel J Walsh
2009-08-23 20:11 ` Russell Coker
2009-08-24 12:36 ` Daniel J Walsh
2009-08-24 13:37 ` Russell Coker
2009-09-08 14:10 ` Stephen Smalley
2009-09-16 15:03 ` Joshua Brindle
2009-10-21 13:56 ` Manoj Srivastava
2009-11-27 20:03 ` Joshua Brindle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B103091.3030306@manicmethod.com \
--to=method@manicmethod.com \
--cc=503252-forwarded@bugs.debian.org \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=russell@coker.com.au \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.