From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, SElinux list <selinux@tycho.nsa.gov>
Subject: Re: [PATCH] selinux: remove AVC init audit log message
Date: Fri, 28 Jul 2017 09:11:56 -0400 [thread overview]
Message-ID: <6418642.hManU9XiuR@x2> (raw)
In-Reply-To: <ce5219eaed412cc02caef75934b8c3b40087db83.1501158372.git.rgb@redhat.com>
On Friday, July 28, 2017 3:23:31 AM EDT Richard Guy Briggs wrote:
> In the process of normalizing audit log messages, it was noticed that the
> AVC initialization code registered an audit log KERNEL record that didn't
> fit the standard format. In the process of attempting to normalize it it
> was determined that this record was not even necessary. Remove it.
Actually, I'd probably go the other direction. I'd make it useful. How about a
AUDIT_MAC_INIT record that records, name of MAC framework, status (enabled/
disabled), and enforcing mode (enforcing/permissive). This way if there is an
investigation that needs to know the initial system state, we have that
information preserved. There might be one or two other tidbits people might
want to know like policy version or number of overrides (booleans) deviating
from policy baseline. But I'd say that's nice to have and not mandatory.
I'm pretty sure that was the intent of the event and its probably to satisfy
one of the FMT_MSA.3 common criteria requirements about initial subject/object
security attribute association.
-Steve
> Ref: http://marc.info/?l=selinux&m=149614868525826&w=2
> See: https://github.com/linux-audit/audit-kernel/issues/48
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> security/selinux/avc.c | 2 --
> 1 files changed, 0 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index e60c79d..4b42931 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -197,8 +197,6 @@ void __init avc_init(void)
> avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data",
> sizeof(struct extended_perms_data),
> 0, SLAB_PANIC, NULL);
> -
> - audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC
> INITIALIZED\n"); }
>
> int avc_get_hash_stats(char *page)
next prev parent reply other threads:[~2017-07-28 13:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-28 7:23 [PATCH] selinux: remove AVC init audit log message Richard Guy Briggs
[not found] ` <ce5219eaed412cc02caef75934b8c3b40087db83.1501158372.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-07-28 13:06 ` Stephen Smalley
2017-07-28 14:13 ` Steve Grubb
2017-07-28 13:11 ` Steve Grubb [this message]
2017-07-28 13:37 ` Stephen Smalley
2017-07-28 22:47 ` Paul Moore
2017-08-23 8:55 ` Richard Guy Briggs
2017-08-23 12:41 ` Paul Moore
2017-08-23 14:52 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6418642.hManU9XiuR@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox