From: Mimi Zohar <zohar@linux.ibm.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
linux-integrity@vger.kernel.org
Subject: Re: IMA's use of the audit rule code
Date: Thu, 02 Jan 2020 15:36:55 -0500 [thread overview]
Message-ID: <1577997415.5874.122.camel@linux.ibm.com> (raw)
In-Reply-To: <28459dc3-1b5e-b3e0-7139-2a5dcb46476b@schaufler-ca.com>
On Thu, 2020-01-02 at 12:21 -0800, Casey Schaufler wrote:
> On 1/2/2020 11:18 AM, Mimi Zohar wrote:
> > On Thu, 2020-01-02 at 09:06 -0800, Casey Schaufler wrote:
> >> IMA refines security_audit_rule_init to security_filter_rule_init.
> >> I need to understand what, if any, relationship there is between
> >> IMA's use of the audit rule mechanisms and the audit system's use.
> >> Is this simple code reuse, or is there some interaction between IMA
> >> and audit?
> >>
> >> I'm trying to sort out the problem of audit rules when
> >> there are multiple security modules. It looks as if there is also a
> >> problem for integrity rules, but it looks different. The "easy"
> >> change for audit doesn't fit with what's in IMA. If there's no
> >> interaction between the IMA and audit use of the rule infrastructure
> >> it's reasonable to fix them separately. If there is interaction
> >> things get messy.
> > They're both comparing rules with LSM labels. In IMA's case, the LSM
> > labels are used to identify which files are in/out of the IMA policy -
> > "measurement", "appraisal", and "audit". I'm not sure how different
> > this is than the audit subsystem.
>
> On a system that has both SELinux and Smack the audit admin might
> want to set a rule on the label "system_u:object_r:something_t".
> The LSM infrastructure can't tell if this is an SELinux label or a
> Smack label, as it's valid for both. This is easily handled by
> keeping an array of pointers for LSM checks, with a value set for
> any module that wants to look for that label.
>
> IMA uses a very different data representation for its events than
> audit does, making it much less obvious how to go about retaining
> the security module to IMA event mapping. I'm looking at options.
IMA converts the labels to an LSM value on initialization, or when the
LSM policy is updated, by calling security_filter_rule_init(), a
pseudonym for security_audit_rule_init(). I would assume audit is
doing something similar.
Mimi
prev parent reply other threads:[~2020-01-02 20:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <a6c15a35-a8cb-7589-7960-a19e788b6c45.ref@schaufler-ca.com>
2020-01-02 17:06 ` IMA's use of the audit rule code Casey Schaufler
2020-01-02 19:18 ` Mimi Zohar
2020-01-02 20:21 ` Casey Schaufler
2020-01-02 20:36 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1577997415.5874.122.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=casey@schaufler-ca.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).