From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH] Add SELinux context and TTY name to AUDIT_TTY records Date: Thu, 19 Mar 2009 16:58:10 -0400 Message-ID: <200903191658.10530.paul.moore@hp.com> References: <273781508.1737621237483080376.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <273781508.1737621237483080376.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: viro , Miloslav Trmac , linux-kernel List-Id: linux-audit@redhat.com On Thursday 19 March 2009 01:18:00 pm Miloslav Trmac wrote: > From: Miloslav Trma=C4=8D > > Add SELinux context information and TTY name (consistent with the > AUDIT_SYSCALL record) to AUDIT_TTY. An example record after applying > this patch: > > type=3DTTY msg=3Daudit(1237480806.220:22): tty pid=3D2601 uid=3D0 auid= =3D500 ses=3D1 > subj=3Dunconfined_u:unconfined_r:unconfined_t:s0 major=3D136 minor=3D1= tty=3Dpts1 > comm=3D"bash" data=3D6361740D > > (line wrapped, new fields are "subj" and "tty".) > > Signed-off-by: Miloslav Trma=C4=8D > --- > drivers/char/tty_audit.c | 57 ++++++++++++++++++++++++------------- > 1 file changed, 38 insertions(+), 19 deletions(-) Just a quick procedural comment, in the future you should include patches= in=20 the body of the email; people will likely ignore your submission otherwis= e. There are several audit experts which should review this code but two thi= ngs=20 jumped out at me when glancing at your patch: 1. SELinux SIDs should not be recorded 2. From a SELinux/security point of view ttys are considered objects and their labels/contexts should be recorded with "obj=3D" not "subj=3D= " --=20 paul moore linux @ hp