From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tyler Hicks <tyhicks@canonical.com>
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for
	AppArmor events that exist in the log
Date: Fri, 6 Jun 2014 16:10:51 -0500
Message-ID: <20140606211051.GB15921@boyd>
References: <53866422.5010709@suse.de> <31153503.SQnCbJNRtA@x2>
	<20140530201644.GA22335@boyd> <9810096.ghxOlbMYMG@x2>
	<20140606184648.GA15921@boyd>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7141638966153472587=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20140606184648.GA15921@boyd>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: seth.arnold@canonical.com, linux-audit@redhat.com, wpreston@suse.com
List-Id: linux-audit@redhat.com


--===============7141638966153472587==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="7iMSBzlTiPOCCT2k"
Content-Disposition: inline


--7iMSBzlTiPOCCT2k
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[Added Eric to cc]

On 2014-06-06 13:46:48, Tyler Hicks wrote:
> On 2014-05-30 17:00:04, Steve Grubb wrote:
> > On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
> > > On 2014-05-30 15:53:49, Steve Grubb wrote:
> > > > On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
> > > > > This patch came from our L3 department.  AppArmor LSM is logging =
using
> > > > > the
> > > > > common_lsm_audit() call but the audit userspace parsing code expe=
cts to
> > > > > see
> > > > > an SELinux tclass field. This patch doesn't address the lack of s=
upport
> > > > > for
> > > > > AppArmor in "aureport --avc".  Talking to Seth Arnold, Canonical
> > > > > apparently
> > > > > has patches for this; if this is true perhaps they can post for
> > > > > inclusion.
> > > > >=20
> > > > > Based-on-work-by: William Preston <wpreston@suse.com>
> > > > > Signed-off-by: Tony Jones <tonyj@suse.de>
> > > >=20
> > > > I was looking at this patch and was wondering something. Does AppAr=
mor
> > > > produce AUDIT_AVC events?
> > >=20
> > > It does. Here's an odd ball that I picked out of my audit log:
> >=20
> > Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so that =
this=20
> > problem would never happen.
> >=20
> > libaudit.h:
> > #define AUDIT_FIRST_SELINUX     1400
> > #define AUDIT_LAST_SELINUX      1499
> > #define AUDIT_FIRST_APPARMOR            1500
> > #define AUDIT_LAST_APPARMOR             1599
>=20
> I wasn't involved with AppArmor when it was going through upstream
> acceptance reviews, but I've asked around to get the history.=20
>=20
> As Tony mentioned, AppArmor was originally using the 1500-1599 block. At
> some point (I couldn't find it in the list archives), it was said that
> AppArmor needs to use common_lsm_audit() which unconditionally uses
> AUDIT_AVC.

I found the review that caused AppArmor to switch to the common LSM
audit function:

  https://lkml.org/lkml/2009/11/9/232

That email is almost 5 years old and minds can change over that time,
but Eric seemed to be against adding new audit event types for each LSM.
Instead, he wanted a lsm=3D<LSM> pair to be included in the message.

AppArmor can accommodate either approach so I think Steve and Eric ought
to come to an agreement on what non-SELinux LSMs should do when
auditing.

Tyler

--7iMSBzlTiPOCCT2k
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTki5bAAoJENaSAD2qAscKFDoQAKRlyinSrSTFIGeR+OCOMzkF
RJB5NEkTwsbPFF79m9TS+xzJ3IbSaxQoc2GIii/rBNrbbgkmcvn2xcccR5OTWLnP
GV2AES0ydqCDk+9pXbBTRCzHq+EUHvXRDsLCHUx5o7a0gIGwufOT+tIBQZF9tmcd
bLb+FxqY+lAUQVlU4BMBQc+xQQMuKJgIJ2xwUMMx+dERAldOTrvxkPLGtCJfuTMQ
RcTOjbOplgUhobpWTbyb9fNcWyGEyz/RsF/qt0Lf7DF0pP8Uomrm3r8oKO8pBvqV
5sLMGhCzIXQgznkdGlTYBmA5R08zHtgA7V/O3J+XL7i/zC2Wwk7Uub2uS8uus/Sv
zveMUiV7XSdMRk9VVA2br2tzRVzW3GOy6dHJgPKFrOPtVktA8omf4Y1oljLsQ+au
raV0T43izk8MEq5VNvSXAWq6fIa//mbKol+ZeAV1hDQC32HoqY9q/P6yihCXuzaj
nTseiJtlaW9EtlIALCWnkytQCS2UC6fhVsL/eTpHpl3GmSgwE93pYr053lUph3vp
/1PSaJiM45K2CITK0Rei9QQvq/G1x8S63aJIxphnbcGb/F+17S1Sq3c+QDVjgyl2
fAkln9JWqOevWUEFvyq5yoh3HnRBazfFz1W7Lqg8RWtcgNNVTNrRSnY7yC5dM5Ua
k48ezWJvo0PvN+i6DX63
=YnPx
-----END PGP SIGNATURE-----

--7iMSBzlTiPOCCT2k--


--===============7141638966153472587==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============7141638966153472587==--