From mboxrd@z Thu Jan 1 00:00:00 1970 From: Linda Knippers Subject: Re: [RFC PATCH] New audit message for NetLabel static/fallback labels Date: Wed, 21 Nov 2007 16:21:26 -0500 Message-ID: <4744A156.3010308@hp.com> References: <20071121193512.12714.406.stgit@flek.americas.hpqcorp.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lALLMV2L006778 for ; Wed, 21 Nov 2007 16:22:31 -0500 Received: from mailhub.hp.com (mailhub.hp.com [192.151.27.10]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lALLLvRU003264 for ; Wed, 21 Nov 2007 16:21:57 -0500 In-Reply-To: <20071121193512.12714.406.stgit@flek.americas.hpqcorp.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Paul Moore Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Paul Moore wrote: > Those of you who follow the SELinux and/or LSM mailing lists know there is > work currently underway to provide static or fallback network peer labels for > use when traditional labeled networking (CIPSO or Labeled IPsec) is not > present. For the same reasons that NetLabel or Labeled IPsec configuration > changes are considered "auditable events", configuring the static/fallback > labels should likely be treated as an auditable event as well. > > The patch below is part of a larger patchset which contains this new > functionality which has already been posted many times to the SELinux and LSM > lists. Those interested in the patchset are encouraged to look into the > archives of those mailing lists or check out the git tree here: > > * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing > > I'm posting this patch to the audit list for comments/review as it contains > all of the audit related changes and I'd like to sort out any issues the > audit community may have sooner rather than later. Please take a few minutes > to look over the changes, most importantly the new message types and either > send me mail or preferably send mail straight to the audit list. > > For reference, here are four examples of the new message types pulled from a > Fedora Rawhide machine running this patch: > > * adding new fallback label using network interface "lo" and > address "127.0.0.0/8" > > type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > netif=lo daddr=127.0.0.0 daddr_mask=8 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 At the risk of being nit-picky, it seems like the convention for network addresses is either separate address and netmask fields, or the combined address/bits-in-netmask notation. For example, ifconfig (on ubuntu, anyway) uses the former for IPv4 and the later for IPv6 addresses. lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host These audit records separate the two values but use the bits-in-netmask instead of the netmask in dot notation, which seems inconsistent to me. Seems like the audit record above should either have an address of 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. -- ljk > > * adding new fallback label using the default network interface and > address "192.168.0.10" > > type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > daddr=192.168.0.10 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 > > * deleting the configuration for network interface "lo" and > address "127.0.0.0/8" > > type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > netif=lo daddr=127.0.0.0 daddr_mask=8 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 > > * deleting the configuration for the defaul network interface and > address "192.168.0.10" > > type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > daddr=192.168.0.10 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 >