[RFC PATCH] New audit message for NetLabel static/fallback labels

Linda Knippers linda.knippers at hp.com
Wed Nov 21 21:21:26 UTC 2007 

Paul Moore wrote:
> Those of you who follow the SELinux and/or LSM mailing lists know there is
> work currently underway to provide static or fallback network peer labels for
> use when traditional labeled networking (CIPSO or Labeled IPsec) is not
> present.  For the same reasons that NetLabel or Labeled IPsec configuration
> changes are considered "auditable events", configuring the static/fallback
> labels should likely be treated as an auditable event as well.
> 
> The patch below is part of a larger patchset which contains this new
> functionality which has already been posted many times to the SELinux and LSM
> lists.  Those interested in the patchset are encouraged to look into the
> archives of those mailing lists or check out the git tree here:
> 
>  * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
> 
> I'm posting this patch to the audit list for comments/review as it contains
> all of the audit related changes and I'd like to sort out any issues the
> audit community may have sooner rather than later.  Please take a few minutes
> to look over the changes, most importantly the new message types and either
> send me mail or preferably send mail straight to the audit list.
> 
> For reference, here are four examples of the new message types pulled from a
> Fedora Rawhide machine running this patch:
> 
>  * adding new fallback label using network interface "lo" and 
>    address "127.0.0.0/8"
> 
>    type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     netif=lo daddr=127.0.0.0 daddr_mask=8 \ 
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1

At the risk of being nit-picky, it seems like the convention for network
addresses is either separate address and netmask fields, or the combined
address/bits-in-netmask notation.  For example, ifconfig (on ubuntu, anyway)
uses the former for IPv4 and the later for IPv6 addresses.

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host

These audit records separate the two values but use the bits-in-netmask
instead of the netmask in dot notation, which seems inconsistent to me.
Seems like the audit record above should either have an address of
127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0.

-- ljk

> 
>  * adding new fallback label using the default network interface and 
>    address "192.168.0.10"
> 
>    type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     daddr=192.168.0.10 \
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> 
>  * deleting the configuration for network interface "lo" and
>    address "127.0.0.0/8"
> 
>    type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     netif=lo daddr=127.0.0.0 daddr_mask=8 \
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> 
>  * deleting the configuration for the defaul network interface and
>    address "192.168.0.10"
> 
>    type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \
>     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
>     daddr=192.168.0.10 \
>     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
>

More information about the Linux-audit mailing list