From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Dustin Kirkland" <dustin.kirkland@gmail.com>
Subject: Re: [redhat-lspp] change lspp ipc auditing
Date: Fri, 31 Mar 2006 15:24:31 -0600
Message-ID: <d9c105ea0603311324s700ee01fq5cd6b09cd5a47be5@mail.gmail.com>
References: <200603311522.49811.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k2VLObGb005255
	for <linux-audit@redhat.com>; Fri, 31 Mar 2006 16:24:37 -0500
Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.194])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k2VLOa2B006939
	for <linux-audit@redhat.com>; Fri, 31 Mar 2006 16:24:36 -0500
Received: by xproxy.gmail.com with SMTP id h30so886207wxd
	for <linux-audit@redhat.com>; Fri, 31 Mar 2006 13:24:31 -0800 (PST)
In-Reply-To: <200603311522.49811.sgrubb@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, Alexander Viro <aviro@redhat.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 3/31/06, Steve Grubb <sgrubb@redhat.com> wrote:
> The patch below converts IPC auditing to collect sid's and convert to c=
ontext
> string only if it needs to output an audit record. This patch depends o=
n the
> inode audit change patch already being applied.

Looks pretty much like the version of this I submitted last night.  It
looks fine to me.

Point of clarification, though...  We need to simplify for Al
*exactly* what needs to be applied.  There's a gang of patches flying
around with IPC in the subject under multiple different threads, most
of which are redundant.

As I see it there are two things that needs to happen with respect to
IPC auditing...

(1) Steve's patch above (or my patch from last night) eliminates the
char *ctx strings in the ipc audit records resulting in improved
performance (and eliminating the memory leaks that resurrected this
code a month ago)

(2) My ipc audit rework patch that splits the ipc audit functions into
two separate functions, each recording something different...  One
audits the ipc object itself (which is what will record the SELinux
context sid.  And the second is called when permissions are changed on
an ipc object (happens in IPC_SET operations).  Steve has recommended
a minor change to the naming of the audit record type from
AUDIT_IPC_NEW_PERM to AUDIT_IPC_SET_PERM.  That's acceptable by me.=20
I'll repost this patch very soon.

:-Dustin