From: Steve Grubb <sgrubb@redhat.com>
To: Tony Jones <tonyj@suse.de>
Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Date: Tue, 03 Jun 2014 10:47:17 -0400 [thread overview]
Message-ID: <1418765.RMuE53Kd9z@x2> (raw)
In-Reply-To: <538D1E46.9040909@suse.de>
On Monday, June 02, 2014 06:00:54 PM Tony Jones wrote:
> On 05/29/2014 01:31 AM, Tyler Hicks wrote:
> > I'm surprised that this patch makes ausearch work correctly for AppArmor
> > AVC events. The first thing that parse_avc() does is look for the
> > "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't
> > include that string, so an.avc_result and an.avc_perm would not be set,
> > would they?
>
> That patch does "work" (tested w/ svn trunk).
Right. The parsing code aborts the parse if it doesn't find required/expected
fields. So, if a field is missing, it skips the event. The --debug option will
print events that get skipped due to being malformed.
> After I read your comment I
> looked at the code and I was confused also as 'avc_result == AVC_UNSET' but
> find_avc() which checks against UNSET isn't being called, rather the
> record gets selected for output by 'n = list_get_cur(l)'
> [ausearch-match.c:113]. I would need to spend more time to fully
> understand what is happening in the code.
Ausearch is simple. It gathers fields only if they are relevant to the command
line flags. If auid is given, it collects those fields, but the parser expects a
well formed event or it will exclude it from the results.
> Without patch, ausearch just outputs "<no matches>"
Yep. So, the question is really how to fix this. Should we have a different
function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then
it can be tuned exactly for AppArmor's needs? Later, the kernel event number
can be changed and the switch/case can pick that up. Also, are there other AA
events that are missing in action? The ausearch-test should tell you.
-Steve
next prev parent reply other threads:[~2014-06-03 14:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-28 22:33 [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Tony Jones
2014-05-29 8:31 ` Tyler Hicks
2014-05-29 15:01 ` Steve Grubb
2014-05-29 15:15 ` Tyler Hicks
2014-06-03 1:00 ` Tony Jones
2014-06-03 14:47 ` Steve Grubb [this message]
2014-06-03 16:34 ` Tony Jones
2014-05-29 15:21 ` Tyler Hicks
2014-05-30 19:53 ` Steve Grubb
2014-05-30 20:16 ` Tyler Hicks
2014-05-30 21:00 ` Steve Grubb
2014-05-31 0:01 ` Tony Jones
2014-06-06 18:46 ` Tyler Hicks
2014-06-06 21:10 ` Tyler Hicks
2014-06-24 0:06 ` Tony Jones
2014-06-24 15:34 ` Eric Paris
-- strict thread matches above, loose matches on Subject: below --
2016-04-29 7:03 Vincas Dargis
2016-04-29 13:39 ` Steve Grubb
2016-04-29 16:07 ` Vincas Dargis
2016-04-29 16:30 ` Steve Grubb
2016-05-02 21:18 ` Paul Moore
2016-04-29 15:41 ` Richard Guy Briggs
2016-04-29 16:58 ` Vincas Dargis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1418765.RMuE53Kd9z@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=seth.arnold@canonical.com \
--cc=tonyj@suse.de \
--cc=wpreston@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox