From: Tyler Hicks <tyhicks@canonical.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: seth.arnold@canonical.com, linux-audit@redhat.com, wpreston@suse.com
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Date: Fri, 6 Jun 2014 16:10:51 -0500 [thread overview]
Message-ID: <20140606211051.GB15921@boyd> (raw)
In-Reply-To: <20140606184648.GA15921@boyd>
[-- Attachment #1.1: Type: text/plain, Size: 2321 bytes --]
[Added Eric to cc]
On 2014-06-06 13:46:48, Tyler Hicks wrote:
> On 2014-05-30 17:00:04, Steve Grubb wrote:
> > On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
> > > On 2014-05-30 15:53:49, Steve Grubb wrote:
> > > > On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
> > > > > This patch came from our L3 department. AppArmor LSM is logging using
> > > > > the
> > > > > common_lsm_audit() call but the audit userspace parsing code expects to
> > > > > see
> > > > > an SELinux tclass field. This patch doesn't address the lack of support
> > > > > for
> > > > > AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical
> > > > > apparently
> > > > > has patches for this; if this is true perhaps they can post for
> > > > > inclusion.
> > > > >
> > > > > Based-on-work-by: William Preston <wpreston@suse.com>
> > > > > Signed-off-by: Tony Jones <tonyj@suse.de>
> > > >
> > > > I was looking at this patch and was wondering something. Does AppArmor
> > > > produce AUDIT_AVC events?
> > >
> > > It does. Here's an odd ball that I picked out of my audit log:
> >
> > Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so that this
> > problem would never happen.
> >
> > libaudit.h:
> > #define AUDIT_FIRST_SELINUX 1400
> > #define AUDIT_LAST_SELINUX 1499
> > #define AUDIT_FIRST_APPARMOR 1500
> > #define AUDIT_LAST_APPARMOR 1599
>
> I wasn't involved with AppArmor when it was going through upstream
> acceptance reviews, but I've asked around to get the history.
>
> As Tony mentioned, AppArmor was originally using the 1500-1599 block. At
> some point (I couldn't find it in the list archives), it was said that
> AppArmor needs to use common_lsm_audit() which unconditionally uses
> AUDIT_AVC.
I found the review that caused AppArmor to switch to the common LSM
audit function:
https://lkml.org/lkml/2009/11/9/232
That email is almost 5 years old and minds can change over that time,
but Eric seemed to be against adding new audit event types for each LSM.
Instead, he wanted a lsm=<LSM> pair to be included in the message.
AppArmor can accommodate either approach so I think Steve and Eric ought
to come to an agreement on what non-SELinux LSMs should do when
auditing.
Tyler
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2014-06-06 21:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-28 22:33 [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Tony Jones
2014-05-29 8:31 ` Tyler Hicks
2014-05-29 15:01 ` Steve Grubb
2014-05-29 15:15 ` Tyler Hicks
2014-06-03 1:00 ` Tony Jones
2014-06-03 14:47 ` Steve Grubb
2014-06-03 16:34 ` Tony Jones
2014-05-29 15:21 ` Tyler Hicks
2014-05-30 19:53 ` Steve Grubb
2014-05-30 20:16 ` Tyler Hicks
2014-05-30 21:00 ` Steve Grubb
2014-05-31 0:01 ` Tony Jones
2014-06-06 18:46 ` Tyler Hicks
2014-06-06 21:10 ` Tyler Hicks [this message]
2014-06-24 0:06 ` Tony Jones
2014-06-24 15:34 ` Eric Paris
-- strict thread matches above, loose matches on Subject: below --
2016-04-29 7:03 Vincas Dargis
2016-04-29 13:39 ` Steve Grubb
2016-04-29 16:07 ` Vincas Dargis
2016-04-29 16:30 ` Steve Grubb
2016-05-02 21:18 ` Paul Moore
2016-04-29 15:41 ` Richard Guy Briggs
2016-04-29 16:58 ` Vincas Dargis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140606211051.GB15921@boyd \
--to=tyhicks@canonical.com \
--cc=linux-audit@redhat.com \
--cc=seth.arnold@canonical.com \
--cc=sgrubb@redhat.com \
--cc=wpreston@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox