From: Paul Moore <paul.moore@hp.com>
To: linux-audit@redhat.com
Subject: Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
Date: Wed, 21 Nov 2007 16:37:43 -0500 [thread overview]
Message-ID: <200711211637.44057.paul.moore@hp.com> (raw)
In-Reply-To: <200711211626.57401.paul.moore@hp.com>
On Wednesday 21 November 2007 4:26:57 pm Paul Moore wrote:
> On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote:
> > Paul Moore wrote:
> > > For reference, here are four examples of the new message types pulled
> > > from a Fedora Rawhide machine running this patch:
> > >
> > > * adding new fallback label using network interface "lo" and
> > > address "127.0.0.0/8"
> > >
> > > type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
> > > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
> > > netif=lo daddr=127.0.0.0 daddr_mask=8 \
> > > sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> >
> > At the risk of being nit-picky, it seems like the convention for network
> > addresses is either separate address and netmask fields, or the combined
> > address/bits-in-netmask notation. For example, ifconfig (on ubuntu,
> > anyway) uses the former for IPv4 and the later for IPv6 addresses.
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > inet6 addr: ::1/128 Scope:Host
> >
> > These audit records separate the two values but use the bits-in-netmask
> > instead of the netmask in dot notation, which seems inconsistent to me.
> > Seems like the audit record above should either have an address of
> > 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0.
>
> I agree in that I like seeing the netmask attached to the address, but when
> I posed the question earlier to the list there was concern that this would
> cause breakage in the tools. I just thought of something, would you be
> more comfortable if I changed the name from 'daddr_mask' to
> 'daddr_prefixlen'?
The more I think about this, the more I like the idea of 'daddr_prefixlen',
I'm going to go and make that change. Although I'm still unclear of how
people would like to see the netmask information - part of the address or
separate.
For what it is worth I think we are going to need to augment the existing
IPsec SPD audit messages to include this information as well (see my other
mail).
--
paul moore
linux security @ hp
prev parent reply other threads:[~2007-11-21 21:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-21 19:49 [RFC PATCH] New audit message for NetLabel static/fallback labels Paul Moore
2007-11-21 19:49 ` [RFC PATCH] NetLabel: add auditing to the static labeling mechanism Paul Moore
2007-11-21 21:21 ` [RFC PATCH] New audit message for NetLabel static/fallback labels Linda Knippers
2007-11-21 21:26 ` Paul Moore
2007-11-21 21:37 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200711211637.44057.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox