From: Steve Grubb <sgrubb@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-audit@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting
Date: Tue, 22 Nov 2016 15:13:40 -0500 [thread overview]
Message-ID: <1612970.M9BsOE2y15@x2> (raw)
In-Reply-To: <8fc7f4df-3c1a-3c5b-ceb9-67b140383ee7@tycho.nsa.gov>
On Tuesday, November 22, 2016 2:47:15 PM EST Stephen Smalley wrote:
> >> At present, we only generate AUDIT_MAC_STATUS, AUDIT_MAC_LOAD, and
> >> AUDIT_MAC_CONFIG_CHANGE on success (or at least partial success). If
> >> you truly need to audit failures, then it seems like you either need to
> >> a) do it through syscall audit filters, which already provide a success=
> >> field
> >
> > I can't imagine what to audit on. There is an open syscall that has a
> > path. But I suspect that does not fail because policy has not be written.
> > There is a write syscall but triggering on that is pretty generic. This is
> > not ideal.
>
> Can't you write an audit syscall filter or watch on
> /sys/fs/selinux/load? Ditto for /sys/fs/selinux/enforce,
> /sys/fs/selinux/commit_pending_bools, etc.
Yes, you can. But this is for the open syscall. sel_write_load() is the
function where the auditing is done but its mapped to the .write member of
sel_load_ops. Auditing on write is not a good thing.
So, if AUDIT_MAC_POLICY_LOAD must only appear when there is success, then its
best to create a second event for failure and hard code the 'res' fields for
both.
-Steve
prev parent reply other threads:[~2016-11-22 20:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-21 17:30 [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting Steve Grubb
2016-11-21 21:50 ` Paul Moore
2016-11-21 22:51 ` Steve Grubb
[not found] ` <CAHC9VhSYkymKzvbOW1vkZ_Ae=VGZc8TcMKimyXO0iO7e6M8GzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-22 13:56 ` Stephen Smalley
2016-11-22 14:28 ` Steve Grubb
2016-11-22 14:55 ` Stephen Smalley
2016-11-22 18:53 ` Lenny Bruzenak
2016-11-22 19:39 ` Steve Grubb
2016-11-22 19:47 ` Stephen Smalley
2016-11-22 20:13 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1612970.M9BsOE2y15@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox