From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve <m6x@ornl.gov>
Subject: Re: [PATCH] audit tools: add filterkey support
Date: Mon, 26 Jun 2006 08:49:07 -0400
Message-ID: <449FD7C3.6040700@ornl.gov>
References: <20060614224910.GB2268@zk3.dec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5QCnBgB002467
	for <linux-audit@redhat.com>; Mon, 26 Jun 2006 08:49:11 -0400
Received: from emroute3.ornl.gov (emroute3.ornl.gov [160.91.4.110])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5QCn9XF005251
	for <linux-audit@redhat.com>; Mon, 26 Jun 2006 08:49:09 -0400
Received: from emroute3.ornl.gov (localhost [127.0.0.1])
	by emroute3.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J1G00AAWWXW3E@emroute3.ornl.gov> for
	linux-audit@redhat.com; Mon, 26 Jun 2006 08:49:08 -0400 (EDT)
Received: from ORNLEXCHANGE.ornl.gov (ornlexchange2.ornl.gov [160.91.1.22])
	by emroute3.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J1G00ACAWXWHB@emroute3.ornl.gov> for
	linux-audit@redhat.com; Mon, 26 Jun 2006 08:49:08 -0400 (EDT)
In-reply-to: <20060614224910.GB2268@zk3.dec.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

> Here is the userspace patch I used to test the kernel filterkey patch.

I have applied the filterkey patch to audit 1.2.3-1 and am receiving 
some strange dispatch events.  Look at the auid below:

Jun 26 08:42:58 otslab11 user_actions[2559]: type=1300, payload size=283
Jun 26 08:42:58 otslab11 user_actions[2559]: 
data="audit(1151325777.277:54): arch=40000003 syscall=5 success=yes 
exit=3 a0=bfea0c58 a1=8000 a2=0 a3=8000 items=1 ppid=2329 pid=2578 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts1 comm="cat" exe="/bin/cat" subj=user_u:system_r:unconfined_t:s0 
key=(null)"
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1307, payload size=38
Jun 26 08:42:58 otslab11 user_actions[2559]: 
data="audit(1151325777.277:54):  cwd="/root""
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1302, payload size=146
Jun 26 08:42:58 otslab11 user_actions[2559]: 
data="audit(1151325777.277:54): item=0 name="/tmp/test.c" inode=5358299 
dev=03:02 mode=0100666 ouid=500 ogid=500 rdev=00:00 
obj=user_u:object_r:tmp_t:s0"

I haven't determined how to assign a key to a rule yet (maybe that is 
part of the problem).

I am using the 2.6.17-1.2293.2.2_FC6.lspp.38.i686 kernel.

Steve