All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tony Jones <tonyj@suse.de>
To: Tyler Hicks <tyhicks@canonical.com>, Steve Grubb <sgrubb@redhat.com>
Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Date: Mon, 23 Jun 2014 17:06:55 -0700	[thread overview]
Message-ID: <53A8C11F.7040409@suse.de> (raw)
In-Reply-To: <20140606211051.GB15921@boyd>

On 06/06/2014 02:10 PM, Tyler Hicks wrote:
> [Added Eric to cc]

You didn't actually add Eric to the Cc:    Adding him.   

> 
> On 2014-06-06 13:46:48, Tyler Hicks wrote:
>> On 2014-05-30 17:00:04, Steve Grubb wrote:
>>> On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
>>>> On 2014-05-30 15:53:49, Steve Grubb wrote:
>>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
>>>>>> This patch came from our L3 department.  AppArmor LSM is logging using
>>>>>> the
>>>>>> common_lsm_audit() call but the audit userspace parsing code expects to
>>>>>> see
>>>>>> an SELinux tclass field. This patch doesn't address the lack of support
>>>>>> for
>>>>>> AppArmor in "aureport --avc".  Talking to Seth Arnold, Canonical
>>>>>> apparently
>>>>>> has patches for this; if this is true perhaps they can post for
>>>>>> inclusion.
>>>>>>
>>>>>> Based-on-work-by: William Preston <wpreston@suse.com>
>>>>>> Signed-off-by: Tony Jones <tonyj@suse.de>
>>>>>
>>>>> I was looking at this patch and was wondering something. Does AppArmor
>>>>> produce AUDIT_AVC events?
>>>>
>>>> It does. Here's an odd ball that I picked out of my audit log:
>>>
>>> Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so that this 
>>> problem would never happen.
>>>
>>> libaudit.h:
>>> #define AUDIT_FIRST_SELINUX     1400
>>> #define AUDIT_LAST_SELINUX      1499
>>> #define AUDIT_FIRST_APPARMOR            1500
>>> #define AUDIT_LAST_APPARMOR             1599
>>
>> I wasn't involved with AppArmor when it was going through upstream
>> acceptance reviews, but I've asked around to get the history. 
>>
>> As Tony mentioned, AppArmor was originally using the 1500-1599 block. At
>> some point (I couldn't find it in the list archives), it was said that
>> AppArmor needs to use common_lsm_audit() which unconditionally uses
>> AUDIT_AVC.
> 
> I found the review that caused AppArmor to switch to the common LSM
> audit function:
> 
>   https://lkml.org/lkml/2009/11/9/232
> 
> That email is almost 5 years old and minds can change over that time,
> but Eric seemed to be against adding new audit event types for each LSM.
> Instead, he wanted a lsm=<LSM> pair to be included in the message.
> 
> AppArmor can accommodate either approach so I think Steve and Eric ought
> to come to an agreement on what non-SELinux LSMs should do when
> auditing.
> 
> Tyler
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 

  reply	other threads:[~2014-06-24  0:06 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-28 22:33 [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Tony Jones
2014-05-29  8:31 ` Tyler Hicks
2014-05-29 15:01   ` Steve Grubb
2014-05-29 15:15     ` Tyler Hicks
2014-06-03  1:00   ` Tony Jones
2014-06-03 14:47     ` Steve Grubb
2014-06-03 16:34       ` Tony Jones
2014-05-29 15:21 ` Tyler Hicks
2014-05-30 19:53 ` Steve Grubb
2014-05-30 20:16   ` Tyler Hicks
2014-05-30 21:00     ` Steve Grubb
2014-05-31  0:01       ` Tony Jones
2014-06-06 18:46       ` Tyler Hicks
2014-06-06 21:10         ` Tyler Hicks
2014-06-24  0:06           ` Tony Jones [this message]
2014-06-24 15:34             ` Eric Paris
  -- strict thread matches above, loose matches on Subject: below --
2016-04-29  7:03 Vincas Dargis
2016-04-29 13:39 ` Steve Grubb
2016-04-29 16:07   ` Vincas Dargis
2016-04-29 16:30     ` Steve Grubb
2016-05-02 21:18       ` Paul Moore
2016-04-29 15:41 ` Richard Guy Briggs
2016-04-29 16:58   ` Vincas Dargis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53A8C11F.7040409@suse.de \
    --to=tonyj@suse.de \
    --cc=linux-audit@redhat.com \
    --cc=seth.arnold@canonical.com \
    --cc=sgrubb@redhat.com \
    --cc=tyhicks@canonical.com \
    --cc=wpreston@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.