From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lenny Bruzenak Subject: Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting Date: Tue, 22 Nov 2016 12:53:05 -0600 Message-ID: References: <11128714.mipGzmS50p@x2> <0839aedc-39b9-7345-9cf7-606538204c9c@tycho.nsa.gov> <67267460.FCN7LuPZon@x2> <1be21bc4-e70f-092f-13cb-458cc0beefad@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3727152033099089355==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id uAMIr98W024605 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 22 Nov 2016 13:53:09 -0500 Received: from mail-oi0-f43.google.com (mail-oi0-f43.google.com [209.85.218.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 769607DD06 for ; Tue, 22 Nov 2016 18:53:08 +0000 (UTC) Received: by mail-oi0-f43.google.com with SMTP id b126so28199884oia.2 for ; Tue, 22 Nov 2016 10:53:08 -0800 (PST) In-Reply-To: <1be21bc4-e70f-092f-13cb-458cc0beefad@tycho.nsa.gov> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: selinux@tycho.nsa.gov, linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============3727152033099089355== Content-Type: multipart/alternative; boundary="------------839145B3E34ADB6CB7E074CC" This is a multi-part message in MIME format. --------------839145B3E34ADB6CB7E074CC Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 11/22/2016 08:55 AM, Stephen Smalley wrote: >> >OK. We can move the point where res=1 is set. But I would think that its a >> >requirement to have an audit record that states that policy failed to load. >> >FMT_MSA.3 Static Attribute Initialization. Auditable events: All modifications >> >of the initial value of security attributes. I would think this means changes >> >such as booleans, modifying labels, loading a new policy, or failure to load a >> >policy. > Failure to load a policy is not a modification to the initial value of > the security attribute, is it? > It is definitely relevant, if it falls under another category. Either a failed malicious intent or a failed supervisory function. LCB --------------839145B3E34ADB6CB7E074CC Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 7bit

On 11/22/2016 08:55 AM, Stephen Smalley wrote:

> OK. We can move the point where res=1 is set. But I would think that its a 
> requirement to have an audit record that states that policy failed to load. 
> FMT_MSA.3 Static Attribute Initialization. Auditable events: All modifications 
> of the initial value of security attributes. I would think this means changes 
> such as booleans, modifying labels, loading a new policy, or failure to load a 
> policy.

Failure to load a policy is not a modification to the initial value of
the security attribute, is it?

It is definitely relevant, if it falls under another category.
Either a failed malicious intent or a failed supervisory function.

LCB
--------------839145B3E34ADB6CB7E074CC-- --===============3727152033099089355== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3727152033099089355==--