From: Paul Moore <paul.moore@hp.com>
To: linux-audit@redhat.com
Subject: [RFC PATCH] New audit message for NetLabel static/fallback labels
Date: Wed, 21 Nov 2007 14:49:38 -0500 [thread overview]
Message-ID: <20071121193512.12714.406.stgit@flek.americas.hpqcorp.net> (raw)
Those of you who follow the SELinux and/or LSM mailing lists know there is
work currently underway to provide static or fallback network peer labels for
use when traditional labeled networking (CIPSO or Labeled IPsec) is not
present. For the same reasons that NetLabel or Labeled IPsec configuration
changes are considered "auditable events", configuring the static/fallback
labels should likely be treated as an auditable event as well.
The patch below is part of a larger patchset which contains this new
functionality which has already been posted many times to the SELinux and LSM
lists. Those interested in the patchset are encouraged to look into the
archives of those mailing lists or check out the git tree here:
* git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
I'm posting this patch to the audit list for comments/review as it contains
all of the audit related changes and I'd like to sort out any issues the
audit community may have sooner rather than later. Please take a few minutes
to look over the changes, most importantly the new message types and either
send me mail or preferably send mail straight to the audit list.
For reference, here are four examples of the new message types pulled from a
Fedora Rawhide machine running this patch:
* adding new fallback label using network interface "lo" and
address "127.0.0.0/8"
type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
netif=lo daddr=127.0.0.0 daddr_mask=8 \
sec_obj=system_u:object_r:unlabeled_t:s0 res=1
* adding new fallback label using the default network interface and
address "192.168.0.10"
type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \
auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
daddr=192.168.0.10 \
sec_obj=system_u:object_r:unlabeled_t:s0 res=1
* deleting the configuration for network interface "lo" and
address "127.0.0.0/8"
type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \
auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
netif=lo daddr=127.0.0.0 daddr_mask=8 \
sec_obj=system_u:object_r:unlabeled_t:s0 res=1
* deleting the configuration for the defaul network interface and
address "192.168.0.10"
type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \
auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
daddr=192.168.0.10 \
sec_obj=system_u:object_r:unlabeled_t:s0 res=1
--
paul moore
linux security @ hp
next reply other threads:[~2007-11-21 19:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-21 19:49 Paul Moore [this message]
2007-11-21 19:49 ` [RFC PATCH] NetLabel: add auditing to the static labeling mechanism Paul Moore
2007-11-21 21:21 ` [RFC PATCH] New audit message for NetLabel static/fallback labels Linda Knippers
2007-11-21 21:26 ` Paul Moore
2007-11-21 21:37 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071121193512.12714.406.stgit@flek.americas.hpqcorp.net \
--to=paul.moore@hp.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox