From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Date: Tue, 24 Jun 2014 11:34:35 -0400 Message-ID: <20140624113435.715daaaf@flatline.rdu.redhat.com> References: <53866422.5010709@suse.de> <31153503.SQnCbJNRtA@x2> <20140530201644.GA22335@boyd> <9810096.ghxOlbMYMG@x2> <20140606184648.GA15921@boyd> <20140606211051.GB15921@boyd> <53A8C11F.7040409@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <53A8C11F.7040409@suse.de> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Tony Jones Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com List-Id: linux-audit@redhat.com I'm fine if other LSMs would like to use their own record type. Makes sense. -Eric On Mon, 23 Jun 2014 17:06:55 -0700 Tony Jones wrote: > On 06/06/2014 02:10 PM, Tyler Hicks wrote: > > [Added Eric to cc] > > You didn't actually add Eric to the Cc: Adding him. > > > > > On 2014-06-06 13:46:48, Tyler Hicks wrote: > >> On 2014-05-30 17:00:04, Steve Grubb wrote: > >>> On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote: > >>>> On 2014-05-30 15:53:49, Steve Grubb wrote: > >>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote: > >>>>>> This patch came from our L3 department. AppArmor LSM is > >>>>>> logging using the > >>>>>> common_lsm_audit() call but the audit userspace parsing code > >>>>>> expects to see > >>>>>> an SELinux tclass field. This patch doesn't address the lack > >>>>>> of support for > >>>>>> AppArmor in "aureport --avc". Talking to Seth Arnold, > >>>>>> Canonical apparently > >>>>>> has patches for this; if this is true perhaps they can post for > >>>>>> inclusion. > >>>>>> > >>>>>> Based-on-work-by: William Preston > >>>>>> Signed-off-by: Tony Jones > >>>>> > >>>>> I was looking at this patch and was wondering something. Does > >>>>> AppArmor produce AUDIT_AVC events? > >>>> > >>>> It does. Here's an odd ball that I picked out of my audit log: > >>> > >>> Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so > >>> that this problem would never happen. > >>> > >>> libaudit.h: > >>> #define AUDIT_FIRST_SELINUX 1400 > >>> #define AUDIT_LAST_SELINUX 1499 > >>> #define AUDIT_FIRST_APPARMOR 1500 > >>> #define AUDIT_LAST_APPARMOR 1599 > >> > >> I wasn't involved with AppArmor when it was going through upstream > >> acceptance reviews, but I've asked around to get the history. > >> > >> As Tony mentioned, AppArmor was originally using the 1500-1599 > >> block. At some point (I couldn't find it in the list archives), it > >> was said that AppArmor needs to use common_lsm_audit() which > >> unconditionally uses AUDIT_AVC. > > > > I found the review that caused AppArmor to switch to the common LSM > > audit function: > > > > https://lkml.org/lkml/2009/11/9/232 > > > > That email is almost 5 years old and minds can change over that > > time, but Eric seemed to be against adding new audit event types > > for each LSM. Instead, he wanted a lsm= pair to be included in > > the message. > > > > AppArmor can accommodate either approach so I think Steve and Eric > > ought to come to an agreement on what non-SELinux LSMs should do > > when auditing. > > > > Tyler > > > > > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > >