[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Dustin Kirkland
dustin.kirkland at us.ibm.com
Fri Jul 22 16:20:32 UTC 2005
On Thu, 2005-07-21 at 10:48 -0500, Dustin Kirkland wrote:
> The attached patch contains functionality specified by the labeled
> security protection profile--basically appending object context and
> subject context labels to audit records.
Here's a few examples of how the new audit messages look. Notice the
"ocontext" and "scontext" fields appended to the end of the record.
Eventually, the audit FVT test cases would need to change slightly to
account for the additional information.
But in a private conversation with David Woodhouse, he spoke of creating
a newly branched GIT tree containing post-RHEL4u2 changes--of which this
should be one. This functionality is *not* required for CAPP. Rather,
we're proactively working this upstream now in anticipation of LSPP.
:-Dustin
----
# cat /var/log/audit/audit.log | grep context | tail
type=SYSCALL msg=audit(1121807986.280:1091967): arch=40000003 syscall=5
success=yes exit=3 a0=d618c2 a1=8000 a2=0 a3=8000 items=1 pid=2816
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="id" exe="/usr/bin/id" scontext=system_u:system_r:initrc_t
type=PATH msg=audit(1121807986.280:1091967): item=0
name="/proc/self/attr/current" flags=101 inode=184549398 dev=00:03
mode=0100666 ouid=0 ogid=0 rdev=00:00
ocontext=system_u:system_r:initrc_t
type=SYSCALL msg=audit(1121807986.280:1092004): arch=40000003 syscall=5
success=yes exit=3 a0=80f81f0 a1=8000 a2=0 a3=8000 items=1 pid=2810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="K87auditd" exe="/bin/bash" scontext=system_u:system_r:initrc_t
type=PATH msg=audit(1121807986.280:1092004): item=0
name="/etc/sysconfig/auditd" flags=101 inode=245774 dev=03:02
mode=0100640 ouid=0 ogid=0 rdev=00:00 ocontext=system_u:object_r:etc_t
type=SYSCALL msg=audit(1121807986.284:1092061): arch=40000003 syscall=5
success=yes exit=3 a0=81113a0 a1=8000 a2=0 a3=8000 items=1 pid=2810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="K87auditd" exe="/bin/bash" scontext=system_u:system_r:initrc_t
type=PATH msg=audit(1121807986.284:1092061): item=0
name="/var/run/auditd.pid" flags=101 inode=2113716 dev=03:02
mode=0100644 ouid=0 ogid=0 rdev=00:00
ocontext=root:object_r:auditd_var_run_t
type=SYSCALL msg=audit(1121807986.284:1092099): arch=40000003 syscall=5
success=yes exit=3 a0=8111c48 a1=8241 a2=1b6 a3=8241 items=1 pid=2810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="K87auditd" exe="/bin/bash" scontext=system_u:system_r:initrc_t
type=PATH msg=audit(1121807986.284:1092099): item=0 name="/dev/null"
flags=310 inode=506 dev=00:0f mode=040755 ouid=0 ogid=0 rdev=00:00
ocontext=system_u:object_r:device_t
...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050722/12b61e6f/attachment.sig>
More information about the Linux-audit
mailing list