[RFC PATCH] New audit message for NetLabel static/fallback labels

[RFC PATCH] New audit message for NetLabel static/fallback labels

[Paul Moore]

Those of you who follow the SELinux and/or LSM mailing lists know there is
work currently underway to provide static or fallback network peer labels for
use when traditional labeled networking (CIPSO or Labeled IPsec) is not
present.  For the same reasons that NetLabel or Labeled IPsec configuration
changes are considered "auditable events", configuring the static/fallback
labels should likely be treated as an auditable event as well.

The patch below is part of a larger patchset which contains this new
functionality which has already been posted many times to the SELinux and LSM
lists.  Those interested in the patchset are encouraged to look into the
archives of those mailing lists or check out the git tree here:

 * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing

I'm posting this patch to the audit list for comments/review as it contains
all of the audit related changes and I'd like to sort out any issues the
audit community may have sooner rather than later.  Please take a few minutes
to look over the changes, most importantly the new message types and either
send me mail or preferably send mail straight to the audit list.

For reference, here are four examples of the new message types pulled from a
Fedora Rawhide machine running this patch:

 * adding new fallback label using network interface "lo" and 
   address "127.0.0.0/8"

   type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
    auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
    netif=lo daddr=127.0.0.0 daddr_mask=8 \ 
    sec_obj=system_u:object_r:unlabeled_t:s0 res=1

 * adding new fallback label using the default network interface and 
   address "192.168.0.10"

   type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \
    auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
    daddr=192.168.0.10 \
    sec_obj=system_u:object_r:unlabeled_t:s0 res=1

 * deleting the configuration for network interface "lo" and
   address "127.0.0.0/8"

   type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \
    auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
    netif=lo daddr=127.0.0.0 daddr_mask=8 \
    sec_obj=system_u:object_r:unlabeled_t:s0 res=1

 * deleting the configuration for the defaul network interface and
   address "192.168.0.10"

   type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \
    auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
    daddr=192.168.0.10 \
    sec_obj=system_u:object_r:unlabeled_t:s0 res=1

-- 
paul moore
linux security @ hp

[RFC PATCH] NetLabel: add auditing to the static labeling mechanism

[Paul Moore]

This patch adds auditing support to the NetLabel static labeling mechanism.
---

 include/linux/audit.h             |    2 
 net/netlabel/netlabel_unlabeled.c |  207 ++++++++++++++++++++++++++++++++++---
 2 files changed, 195 insertions(+), 14 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index c687816..bdd6f5d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -115,6 +115,8 @@
 #define AUDIT_MAC_IPSEC_ADDSPD	1413	/* Not used */
 #define AUDIT_MAC_IPSEC_DELSPD	1414	/* Not used */
 #define AUDIT_MAC_IPSEC_EVENT	1415	/* Audit an IPSec event */
+#define AUDIT_MAC_UNLBL_STCADD	1416	/* NetLabel: add a static label */
+#define AUDIT_MAC_UNLBL_STCDEL	1417	/* NetLabel: del a static label */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index b71bedc..33556ee 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -143,6 +143,74 @@ static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
 };
 
 /*
+ * Audit Helper Functions
+ */
+
+/**
+ * netlbl_unlbl_audit_addr4 - Audit an IPv4 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv4 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlbl_audit_addr4(struct audit_buffer *audit_buf,
+				     const char *dev,
+				     __be32 addr, __be32 mask)
+{
+	u32 mask_val = ntohl(mask);
+
+	if (dev != NULL)
+		audit_log_format(audit_buf, " netif=%s", dev);
+	audit_log_format(audit_buf, " daddr=" NIPQUAD_FMT, NIPQUAD(addr));
+	if (mask_val != 0xffffffff) {
+		u32 mask_len = 0;
+		while (mask_val > 0) {
+			mask_val <<= 1;
+			mask_len++;
+		}
+		audit_log_format(audit_buf, " daddr_mask=%d", mask_len);
+	}
+}
+
+/**
+ * netlbl_unlbl_audit_addr6 - Audit an IPv6 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv6 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlbl_audit_addr6(struct audit_buffer *audit_buf,
+				     const char *dev,
+				     const struct in6_addr *addr,
+				     const struct in6_addr *mask)
+{
+	if (dev != NULL)
+		audit_log_format(audit_buf, " netif=%s", dev);
+	audit_log_format(audit_buf, " daddr=" NIP6_FMT, NIP6(*addr));
+	if (ntohl(mask->s6_addr32[3]) != 0xffffffff) {
+		u32 mask_len = 0;
+		u32 mask_val;
+		int iter = -1;
+		while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff)
+			mask_len += 32;
+		mask_val = ntohl(mask->s6_addr32[iter]);
+		while (mask_val > 0) {
+			mask_val <<= 1;
+			mask_len++;
+		}
+		audit_log_format(audit_buf, " daddr_mask=%d", mask_len);
+	}
+}
+
+/*
  * Unlabeled Connection Hash Table Functions
  */
 
@@ -519,6 +587,7 @@ add_iface_failure:
  * @mask: address mask in network byte order
  * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
  * @secid: LSM secid value for the entry
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Adds a new entry to the unlabeled connection hash table.  Returns zero on
@@ -530,12 +599,18 @@ static int netlbl_unlhsh_add(struct net *net,
 			     const void *addr,
 			     const void *mask,
 			     u32 addr_len,
-			     u32 secid)
+			     u32 secid,
+			     struct netlbl_audit *audit_info)
 {
 	int ret_val;
 	int ifindex;
 	struct net_device *dev;
 	struct netlbl_unlhsh_iface *iface;
+	struct in_addr *addr4, *mask4;
+	struct in6_addr *addr6, *mask6;
+	struct audit_buffer *audit_buf = NULL;
+	char *secctx = NULL;
+	u32 secctx_len;
 
 	if (addr_len != sizeof(struct in_addr) &&
 	    addr_len != sizeof(struct in6_addr))
@@ -562,13 +637,27 @@ static int netlbl_unlhsh_add(struct net *net,
 			goto unlhsh_add_return;
 		}
 	}
+	audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
+					      audit_info);
 	switch (addr_len) {
 	case sizeof(struct in_addr):
-		ret_val = netlbl_unlhsh_add_addr4(iface, addr, mask, secid);
+		addr4 = (struct in_addr *)addr;
+		mask4 = (struct in_addr *)mask;
+		ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
+		if (audit_buf != NULL)
+			netlbl_unlbl_audit_addr4(audit_buf,
+						 dev_name,
+						 addr4->s_addr, mask4->s_addr);
 		break;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 	case sizeof(struct in6_addr):
-		ret_val = netlbl_unlhsh_add_addr6(iface, addr, mask, secid);
+		addr6 = (struct in6_addr *)addr;
+		mask6 = (struct in6_addr *)mask;
+		ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
+		if (audit_buf != NULL)
+			netlbl_unlbl_audit_addr6(audit_buf,
+						 dev_name,
+						 addr6, mask6);
 		break;
 #endif /* IPv6 */
 	default:
@@ -579,14 +668,26 @@ static int netlbl_unlhsh_add(struct net *net,
 
 unlhsh_add_return:
 	rcu_read_unlock();
+	if (audit_buf != NULL) {
+		if (security_secid_to_secctx(secid,
+					     &secctx,
+					     &secctx_len) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s", secctx);
+			security_release_secctx(secctx, secctx_len);
+		}
+		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
+		audit_log_end(audit_buf);
+	}
 	return ret_val;
 }
 
 /**
  * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
+ * @net: network namespace
  * @iface: interface entry
  * @addr: IP address
  * @mask: IP address mask
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Remove an IP address entry from the unlabeled connection hash table.
@@ -594,12 +695,18 @@ unlhsh_add_return:
  * responsible for calling the rcu_read_[un]lock() functions.
  *
  */
-static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface,
+static int netlbl_unlhsh_remove_addr4(struct net *net,
+				      struct netlbl_unlhsh_iface *iface,
 				      const struct in_addr *addr,
-				      const struct in_addr *mask)
+				      const struct in_addr *mask,
+				      struct netlbl_audit *audit_info)
 {
 	int ret_val = -ENOENT;
 	struct netlbl_unlhsh_addr4 *entry;
+	struct audit_buffer *audit_buf = NULL;
+	struct net_device *dev;
+	char *secctx = NULL;
+	u32 secctx_len;
 
 	spin_lock(&netlbl_unlhsh_lock);
 	entry = netlbl_unlhsh_search_addr4(addr->s_addr, iface);
@@ -611,6 +718,25 @@ static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface,
 	}
 	spin_unlock(&netlbl_unlhsh_lock);
 
+	audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
+					      audit_info);
+	if (audit_buf != NULL) {
+		dev = dev_get_by_index(net, iface->ifindex);
+		netlbl_unlbl_audit_addr4(audit_buf,
+					 (dev != NULL ? dev->name : NULL),
+					 entry->addr, entry->mask);
+		if (dev != NULL)
+			dev_put(dev);
+		if (security_secid_to_secctx(entry->secid,
+					     &secctx,
+					     &secctx_len) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s", secctx);
+			security_release_secctx(secctx, secctx_len);
+		}
+		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
+		audit_log_end(audit_buf);
+	}
+
 	if (ret_val == 0)
 		call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4);
 	return ret_val;
@@ -619,9 +745,11 @@ static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface,
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 /**
  * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
+ * @net: network namespace
  * @iface: interface entry
  * @addr: IP address
  * @mask: IP address mask
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Remove an IP address entry from the unlabeled connection hash table.
@@ -629,12 +757,18 @@ static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface,
  * responsible for calling the rcu_read_[un]lock() functions.
  *
  */
-static int netlbl_unlhsh_remove_addr6(struct netlbl_unlhsh_iface *iface,
+static int netlbl_unlhsh_remove_addr6(struct net *net,
+				      struct netlbl_unlhsh_iface *iface,
 				      const struct in6_addr *addr,
-				      const struct in6_addr *mask)
+				      const struct in6_addr *mask,
+				      struct netlbl_audit *audit_info)
 {
 	int ret_val = -ENOENT;
 	struct netlbl_unlhsh_addr6 *entry;
+	struct audit_buffer *audit_buf = NULL;
+	struct net_device *dev;
+	char *secctx = NULL;
+	u32 secctx_len;
 
 	spin_lock(&netlbl_unlhsh_lock);
 	entry = netlbl_unlhsh_search_addr6(addr, iface);
@@ -647,6 +781,25 @@ static int netlbl_unlhsh_remove_addr6(struct netlbl_unlhsh_iface *iface,
 	}
 	spin_unlock(&netlbl_unlhsh_lock);
 
+	audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
+					      audit_info);
+	if (audit_buf != NULL) {
+		dev = dev_get_by_index(net, iface->ifindex);
+		netlbl_unlbl_audit_addr6(audit_buf,
+					 (dev != NULL ? dev->name : NULL),
+					 addr, mask);
+		if (dev != NULL)
+			dev_put(dev);
+		if (security_secid_to_secctx(entry->secid,
+					     &secctx,
+					     &secctx_len) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s", secctx);
+			security_release_secctx(secctx, secctx_len);
+		}
+		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
+		audit_log_end(audit_buf);
+	}
+
 	if (ret_val == 0)
 		call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6);
 	return ret_val;
@@ -697,6 +850,7 @@ unlhsh_condremove_failure:
  * @addr: IP address in network byte order
  * @mask: address mask in network byte order
  * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Removes and existing entry from the unlabeled connection hash table.
@@ -707,7 +861,8 @@ static int netlbl_unlhsh_remove(struct net *net,
 				const char *dev_name,
 				const void *addr,
 				const void *mask,
-				u32 addr_len)
+				u32 addr_len,
+				struct netlbl_audit *audit_info)
 {
 	int ret_val;
 	struct net_device *dev;
@@ -734,11 +889,15 @@ static int netlbl_unlhsh_remove(struct net *net,
 	}
 	switch (addr_len) {
 	case sizeof(struct in_addr):
-		ret_val = netlbl_unlhsh_remove_addr4(iface, addr, mask);
+		ret_val = netlbl_unlhsh_remove_addr4(net,
+						     iface, addr, mask,
+						     audit_info);
 		break;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 	case sizeof(struct in6_addr):
-		ret_val = netlbl_unlhsh_remove_addr6(iface, addr, mask);
+		ret_val = netlbl_unlhsh_remove_addr6(net,
+						     iface, addr, mask,
+						     audit_info);
 		break;
 #endif /* IPv6 */
 	default:
@@ -962,6 +1121,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
 	void *mask;
 	u32 addr_len;
 	u32 secid;
+	struct netlbl_audit audit_info;
 
 	/* Don't allow users to add both IPv4 and IPv6 addresses for a
 	 * single entry.  However, allow users to create two entries, one each
@@ -975,6 +1135,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
 	       !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
 		return -EINVAL;
 
+	netlbl_netlink_auditinfo(skb, &audit_info);
+
 	ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
 	if (ret_val != 0)
 		return ret_val;
@@ -986,7 +1148,9 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
 	if (ret_val != 0)
 		return ret_val;
 
-	return netlbl_unlhsh_add(net, dev_name, addr, mask, addr_len, secid);
+	return netlbl_unlhsh_add(net,
+				 dev_name, addr, mask, addr_len, secid,
+				 &audit_info);
 }
 
 /**
@@ -1009,6 +1173,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
 	void *mask;
 	u32 addr_len;
 	u32 secid;
+	struct netlbl_audit audit_info;
 
 	/* Don't allow users to add both IPv4 and IPv6 addresses for a
 	 * single entry.  However, allow users to create two entries, one each
@@ -1021,6 +1186,8 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
 	       !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
 		return -EINVAL;
 
+	netlbl_netlink_auditinfo(skb, &audit_info);
+
 	ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
 	if (ret_val != 0)
 		return ret_val;
@@ -1031,7 +1198,9 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
 	if (ret_val != 0)
 		return ret_val;
 
-	return netlbl_unlhsh_add(net, NULL, addr, mask, addr_len, secid);
+	return netlbl_unlhsh_add(net,
+				 NULL, addr, mask, addr_len, secid,
+				 &audit_info);
 }
 
 /**
@@ -1054,6 +1223,7 @@ static int netlbl_unlabel_staticremove(struct sk_buff *skb,
 	void *addr;
 	void *mask;
 	u32 addr_len;
+	struct netlbl_audit audit_info;
 
 	/* See the note in netlbl_unlabel_staticadd() about not allowing both
 	 * IPv4 and IPv6 in the same entry. */
@@ -1064,12 +1234,16 @@ static int netlbl_unlabel_staticremove(struct sk_buff *skb,
 	       !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
 		return -EINVAL;
 
+	netlbl_netlink_auditinfo(skb, &audit_info);
+
 	ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
 	if (ret_val != 0)
 		return ret_val;
 	dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
 
-	return netlbl_unlhsh_remove(net, dev_name, addr, mask, addr_len);
+	return netlbl_unlhsh_remove(net,
+				    dev_name, addr, mask, addr_len,
+				    &audit_info);
 }
 
 /**
@@ -1091,6 +1265,7 @@ static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
 	void *addr;
 	void *mask;
 	u32 addr_len;
+	struct netlbl_audit audit_info;
 
 	/* See the note in netlbl_unlabel_staticadd() about not allowing both
 	 * IPv4 and IPv6 in the same entry. */
@@ -1100,11 +1275,15 @@ static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
 	       !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
 		return -EINVAL;
 
+	netlbl_netlink_auditinfo(skb, &audit_info);
+
 	ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
 	if (ret_val != 0)
 		return ret_val;
 
-	return netlbl_unlhsh_remove(net, NULL, addr, mask, addr_len);
+	return netlbl_unlhsh_remove(net,
+				    NULL, addr, mask, addr_len,
+				    &audit_info);
 }
 
 

Re: [RFC PATCH] New audit message for NetLabel static/fallback labels

[Linda Knippers]

Paul Moore wrote:
> Those of you who follow the SELinux and/or LSM mailing lists know there is
> work currently underway to provide static or fallback network peer labels for
> use when traditional labeled networking (CIPSO or Labeled IPsec) is not
> present.  For the same reasons that NetLabel or Labeled IPsec configuration
> changes are considered "auditable events", configuring the static/fallback
> labels should likely be treated as an auditable event as well.
> 
> The patch below is part of a larger patchset which contains this new
> functionality which has already been posted many times to the SELinux and LSM
> lists.  Those interested in the patchset are encouraged to look into the
> archives of those mailing lists or check out the git tree here:
> 
>  * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
> 
> I'm posting this patch to the audit list for comments/review as it contains
> all of the audit related changes and I'd like to sort out any issues the
> audit community may have sooner rather than later.  Please take a few minutes
> to look over the changes, most importantly the new message types and either
> send me mail or preferably send mail straight to the audit list.
> 
> For reference, here are four examples of the new message types pulled from a
> Fedora Rawhide machine running this patch:
> 
>  * adding new fallback label using network interface "lo" and 
>    address "127.0.0.0/8"
> 
>    type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     netif=lo daddr=127.0.0.0 daddr_mask=8 \ 
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1

At the risk of being nit-picky, it seems like the convention for network
addresses is either separate address and netmask fields, or the combined
address/bits-in-netmask notation.  For example, ifconfig (on ubuntu, anyway)
uses the former for IPv4 and the later for IPv6 addresses.

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host

These audit records separate the two values but use the bits-in-netmask
instead of the netmask in dot notation, which seems inconsistent to me.
Seems like the audit record above should either have an address of
127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0.

-- ljk

> 
>  * adding new fallback label using the default network interface and 
>    address "192.168.0.10"
> 
>    type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     daddr=192.168.0.10 \
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> 
>  * deleting the configuration for network interface "lo" and
>    address "127.0.0.0/8"
> 
>    type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     netif=lo daddr=127.0.0.0 daddr_mask=8 \
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> 
>  * deleting the configuration for the defaul network interface and
>    address "192.168.0.10"
> 
>    type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     daddr=192.168.0.10 \
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> 

Re: [RFC PATCH] New audit message for NetLabel static/fallback labels

[Paul Moore]

On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote:
> Paul Moore wrote:
> > For reference, here are four examples of the new message types pulled
> > from a Fedora Rawhide machine running this patch:
> >
> >  * adding new fallback label using network interface "lo" and
> >    address "127.0.0.0/8"
> >
> >    type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
> >     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
> >     netif=lo daddr=127.0.0.0 daddr_mask=8 \
> >     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
>
> At the risk of being nit-picky, it seems like the convention for network
> addresses is either separate address and netmask fields, or the combined
> address/bits-in-netmask notation.  For example, ifconfig (on ubuntu,
> anyway) uses the former for IPv4 and the later for IPv6 addresses.
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>
> These audit records separate the two values but use the bits-in-netmask
> instead of the netmask in dot notation, which seems inconsistent to me.
> Seems like the audit record above should either have an address of
> 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0.

I agree in that I like seeing the netmask attached to the address, but when I 
posed the question earlier to the list there was concern that this would 
cause breakage in the tools.  I just thought of something, would you be more 
comfortable if I changed the name from 'daddr_mask' to 'daddr_prefixlen'?

-- 
paul moore
linux security @ hp

Re: [RFC PATCH] New audit message for NetLabel static/fallback labels

[Paul Moore]

On Wednesday 21 November 2007 4:26:57 pm Paul Moore wrote:
> On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote:
> > Paul Moore wrote:
> > > For reference, here are four examples of the new message types pulled
> > > from a Fedora Rawhide machine running this patch:
> > >
> > >  * adding new fallback label using network interface "lo" and
> > >    address "127.0.0.0/8"
> > >
> > >    type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
> > >     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
> > >     netif=lo daddr=127.0.0.0 daddr_mask=8 \
> > >     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> >
> > At the risk of being nit-picky, it seems like the convention for network
> > addresses is either separate address and netmask fields, or the combined
> > address/bits-in-netmask notation.  For example, ifconfig (on ubuntu,
> > anyway) uses the former for IPv4 and the later for IPv6 addresses.
> >
> > lo        Link encap:Local Loopback
> >           inet addr:127.0.0.1  Mask:255.0.0.0
> >           inet6 addr: ::1/128 Scope:Host
> >
> > These audit records separate the two values but use the bits-in-netmask
> > instead of the netmask in dot notation, which seems inconsistent to me.
> > Seems like the audit record above should either have an address of
> > 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0.
>
> I agree in that I like seeing the netmask attached to the address, but when
> I posed the question earlier to the list there was concern that this would
> cause breakage in the tools.  I just thought of something, would you be
> more comfortable if I changed the name from 'daddr_mask' to
> 'daddr_prefixlen'?

The more I think about this, the more I like the idea of 'daddr_prefixlen', 
I'm going to go and make that change.  Although I'm still unclear of how 
people would like to see the netmask information - part of the address or 
separate.

For what it is worth I think we are going to need to augment the existing 
IPsec SPD audit messages to include this information as well (see my other 
mail).

-- 
paul moore
linux security @ hp