Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Casey Schaufler <casey@schaufler-ca.com>,
	Tyler Hicks <tyhicks@canonical.com>,
	linux-security-module@vger.kernel.org,
	apparmor <apparmor@lists.ubuntu.com>
Subject: Re: Unique audit record type ranges for individual LSMs
Date: Mon, 11 Dec 2017 10:44:22 -0500	[thread overview]
Message-ID: <9007498.tkJPu7STvn@x2> (raw)
In-Reply-To: <3ea79b60-21cb-5638-304d-97bde8b12b5c@schaufler-ca.com>

On Wednesday, December 6, 2017 1:47:43 PM EST Casey Schaufler wrote:
> > While it will be potentially painful to switch, the AppArmor project is
> > considering to use a unique range in order for audit-userspace to
> > support AppArmor audit records. IMHO, SMACK would be free to continue
> > using 1400-1499 as long as they don't need audit-userspace support and
> > SELinux would continue using 1400-1499.
> 
> Aside from the comment that says 1400-1499 are for SELinux, and the three
> events (1400-1402) that are SELinux specific, the events really are general.
> Why not add the AppArmor specifics to the 1400 range? Give them a generic
> sounding name and you'll achieve consistency. Change the comment to say
> "Security Module use" instead of "SELinux use".

I really don't know what the status is for user space support on the other 
LSMs. I couldn't tell you if the searching/reporting are broken or working 
just fine.

Additionally, there is auditctl which has very selinux specific field options 
to audit on a variety of pieces of the labels. Does this make sense for other 
LSMs? Do other LSMs have different needs? I really have no idea.

But one thing for sure...if we combine them all, I expect patches are needed 
for user space. By separating them out by event number or some identifier like 
lsm=, then we can have lsm specific fixups if necessary.

-Steve

  parent reply	other threads:[~2017-12-11 15:44 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-06 17:51 Unique audit record type ranges for individual LSMs Tyler Hicks
2017-12-06 18:47 ` Casey Schaufler
2017-12-06 19:12   ` Tyler Hicks
2017-12-11 15:44   ` Steve Grubb [this message]
2017-12-11 20:56     ` Casey Schaufler
2017-12-12  3:42       ` Steve Grubb
2017-12-11 15:35 ` Steve Grubb
2017-12-18 10:28 ` Laurent Bigonville

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9007498.tkJPu7STvn@x2 \
    --to=sgrubb@redhat.com \
    --cc=apparmor@lists.ubuntu.com \
    --cc=casey@schaufler-ca.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tyhicks@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox