From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: [RFC PATCH] New audit message for NetLabel static/fallback labels Date: Wed, 21 Nov 2007 14:49:38 -0500 Message-ID: <20071121193512.12714.406.stgit@flek.americas.hpqcorp.net> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lALJouYT020410 for ; Wed, 21 Nov 2007 14:50:56 -0500 Received: from g5t0007.atlanta.hp.com (g5t0007.atlanta.hp.com [15.192.0.44]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lALJoJfD001408 for ; Wed, 21 Nov 2007 14:50:20 -0500 Received: from g5t0007.atlanta.hp.com (localhost.localdomain [127.0.0.1]) by receive-from-antispam-filter (Postfix) with SMTP id E82C5142B7 for ; Wed, 21 Nov 2007 19:49:56 +0000 (UTC) Received: from smtp2.fc.hp.com (smtp.cnd.hp.com [15.11.136.114]) by g5t0007.atlanta.hp.com (Postfix) with ESMTP id D4BBB1401B for ; Wed, 21 Nov 2007 19:49:50 +0000 (UTC) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Those of you who follow the SELinux and/or LSM mailing lists know there is work currently underway to provide static or fallback network peer labels for use when traditional labeled networking (CIPSO or Labeled IPsec) is not present. For the same reasons that NetLabel or Labeled IPsec configuration changes are considered "auditable events", configuring the static/fallback labels should likely be treated as an auditable event as well. The patch below is part of a larger patchset which contains this new functionality which has already been posted many times to the SELinux and LSM lists. Those interested in the patchset are encouraged to look into the archives of those mailing lists or check out the git tree here: * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing I'm posting this patch to the audit list for comments/review as it contains all of the audit related changes and I'd like to sort out any issues the audit community may have sooner rather than later. Please take a few minutes to look over the changes, most importantly the new message types and either send me mail or preferably send mail straight to the audit list. For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface "lo" and address "127.0.0.0/8" type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * adding new fallback label using the default network interface and address "192.168.0.10" type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for network interface "lo" and address "127.0.0.0/8" type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for the defaul network interface and address "192.168.0.10" type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 -- paul moore linux security @ hp