From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tony Jones Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Date: Mon, 23 Jun 2014 17:06:55 -0700 Message-ID: <53A8C11F.7040409@suse.de> References: <53866422.5010709@suse.de> <31153503.SQnCbJNRtA@x2> <20140530201644.GA22335@boyd> <9810096.ghxOlbMYMG@x2> <20140606184648.GA15921@boyd> <20140606211051.GB15921@boyd> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20140606211051.GB15921@boyd> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Tyler Hicks , Steve Grubb Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com List-Id: linux-audit@redhat.com On 06/06/2014 02:10 PM, Tyler Hicks wrote: > [Added Eric to cc] You didn't actually add Eric to the Cc: Adding him. > > On 2014-06-06 13:46:48, Tyler Hicks wrote: >> On 2014-05-30 17:00:04, Steve Grubb wrote: >>> On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote: >>>> On 2014-05-30 15:53:49, Steve Grubb wrote: >>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote: >>>>>> This patch came from our L3 department. AppArmor LSM is logging using >>>>>> the >>>>>> common_lsm_audit() call but the audit userspace parsing code expects to >>>>>> see >>>>>> an SELinux tclass field. This patch doesn't address the lack of support >>>>>> for >>>>>> AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical >>>>>> apparently >>>>>> has patches for this; if this is true perhaps they can post for >>>>>> inclusion. >>>>>> >>>>>> Based-on-work-by: William Preston >>>>>> Signed-off-by: Tony Jones >>>>> >>>>> I was looking at this patch and was wondering something. Does AppArmor >>>>> produce AUDIT_AVC events? >>>> >>>> It does. Here's an odd ball that I picked out of my audit log: >>> >>> Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so that this >>> problem would never happen. >>> >>> libaudit.h: >>> #define AUDIT_FIRST_SELINUX 1400 >>> #define AUDIT_LAST_SELINUX 1499 >>> #define AUDIT_FIRST_APPARMOR 1500 >>> #define AUDIT_LAST_APPARMOR 1599 >> >> I wasn't involved with AppArmor when it was going through upstream >> acceptance reviews, but I've asked around to get the history. >> >> As Tony mentioned, AppArmor was originally using the 1500-1599 block. At >> some point (I couldn't find it in the list archives), it was said that >> AppArmor needs to use common_lsm_audit() which unconditionally uses >> AUDIT_AVC. > > I found the review that caused AppArmor to switch to the common LSM > audit function: > > https://lkml.org/lkml/2009/11/9/232 > > That email is almost 5 years old and minds can change over that time, > but Eric seemed to be against adding new audit event types for each LSM. > Instead, he wanted a lsm= pair to be included in the message. > > AppArmor can accommodate either approach so I think Steve and Eric ought > to come to an agreement on what non-SELinux LSMs should do when > auditing. > > Tyler > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >