From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH 0/2] security/smack implement logging V2
Date: Mon, 06 Apr 2009 11:34:26 -0400
Message-ID: <1239032066.4009.5.camel@localhost.localdomain>
References: <49D86FFA.1010507@numericable.fr>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <49D86FFA.1010507@numericable.fr>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Etienne Basset <etienne.basset@numericable.fr>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, LSM <linux-security-module@vger.kernel.org>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Sun, 2009-04-05 at 10:46 +0200, Etienne Basset wrote:

> the following 2 patches implements auditing of security events for Smack.
> It tries to implement what Eric Paris suggested, and moves shareable code
> to include/linux/lsm_audit.h and security/lsm_audit.c.
> Smack specific logging functions are now defined in smack_access.c


> type=1400 audit(1238919813.116:21): SMACK[smack_inode_getattr]: action=denied subject="FOO" object="etienne" requested=r pid=6679 comm="bash" path="/home/etienne/Desktop" dev=sda8ino=1237000

Can we make SMACK[smack_inode_getarr] into key=value pairs too and get
rid of that extra ':'?  Anyone have naming suggestions?

lsm=SMACK function=smack_inode_getattr

also: dev=sda8ino=1237000  I'm guessing that was just a typo of you
putting the example into the e-mail, but you may want to double check.

-Eric