From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eamon Walsh Subject: Re: missing avc message field names Date: Mon, 29 Jan 2007 14:22:25 -0500 Message-ID: <45BE4971.6090601@tycho.nsa.gov> References: <20070129185542.32977.qmail@web51502.mail.yahoo.com> Reply-To: ewalsh@tycho.nsa.gov Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l0TJNdR0003384 for ; Mon, 29 Jan 2007 14:23:39 -0500 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l0TJNaAo010624 for ; Mon, 29 Jan 2007 14:23:37 -0500 In-Reply-To: <20070129185542.32977.qmail@web51502.mail.yahoo.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve G Cc: linux-audit@redhat.com, selinux@tycho.nsa.gov, Karl MacMillan List-Id: linux-audit@redhat.com Steve G wrote: >> If you have to include code for parsing the current format, why the rush >> to change the kernel output? >> > > I was thinking that it should be done in near future so its not forgotten. But > that is the only reason. It could be delayed for a while. > > But back to the original question, any preference for non-conflicting names? :) > > > CC'ing linux-audit. Some comments regarding userspace object managers and the userspace AVC: in general userspace object managers will introduce new fields to the AVC messages. For example the AVC's generated by the X server have fields such as window=, property=, and extension= for X-specific things which do not appear in the kernel AVC's. So it should be relatively easy to add new keywords to the dictionary, or even have the audit system gracefully accept keywords that are not in its dictionary. If all of these keywords in the data dictionary have to be unique, I'm wondering if it might be useful to use a 3-tuple instead of a (name,value) pair. The 3-tuple would consist of (namespace,name,value) with namespace coming from a defined list of subsystems. So for example there would be an "SELinux" namespace encompassing all of the selinux keywords, so that the "result" and "perms" keywords from the previous example would not conflict with the "other" ones which would presumably be in a different namespace. Or just prefix the names with "selinux-", "syscall-", etc. Another request I have is that if this scheme moves forward, that we do away with the audit_log_user_avc_message(3) family of functions and instead introduce an interface that takes an array of name/value pairs making up the audit message, or a single string which it could parse as name/value pairs. This would be one-size-fits-all and would avoid the 10+ parameter situation with the current functions. -- Eamon Walsh National Security Agency