[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Eric Paris
eparis at redhat.com
Tue Jun 24 15:34:35 UTC 2014
I'm fine if other LSMs would like to use their own record type. Makes
sense.
-Eric
On Mon, 23 Jun 2014 17:06:55 -0700
Tony Jones <tonyj at suse.de> wrote:
> On 06/06/2014 02:10 PM, Tyler Hicks wrote:
> > [Added Eric to cc]
>
> You didn't actually add Eric to the Cc: Adding him.
>
> >
> > On 2014-06-06 13:46:48, Tyler Hicks wrote:
> >> On 2014-05-30 17:00:04, Steve Grubb wrote:
> >>> On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
> >>>> On 2014-05-30 15:53:49, Steve Grubb wrote:
> >>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
> >>>>>> This patch came from our L3 department. AppArmor LSM is
> >>>>>> logging using the
> >>>>>> common_lsm_audit() call but the audit userspace parsing code
> >>>>>> expects to see
> >>>>>> an SELinux tclass field. This patch doesn't address the lack
> >>>>>> of support for
> >>>>>> AppArmor in "aureport --avc". Talking to Seth Arnold,
> >>>>>> Canonical apparently
> >>>>>> has patches for this; if this is true perhaps they can post for
> >>>>>> inclusion.
> >>>>>>
> >>>>>> Based-on-work-by: William Preston <wpreston at suse.com>
> >>>>>> Signed-off-by: Tony Jones <tonyj at suse.de>
> >>>>>
> >>>>> I was looking at this patch and was wondering something. Does
> >>>>> AppArmor produce AUDIT_AVC events?
> >>>>
> >>>> It does. Here's an odd ball that I picked out of my audit log:
> >>>
> >>> Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so
> >>> that this problem would never happen.
> >>>
> >>> libaudit.h:
> >>> #define AUDIT_FIRST_SELINUX 1400
> >>> #define AUDIT_LAST_SELINUX 1499
> >>> #define AUDIT_FIRST_APPARMOR 1500
> >>> #define AUDIT_LAST_APPARMOR 1599
> >>
> >> I wasn't involved with AppArmor when it was going through upstream
> >> acceptance reviews, but I've asked around to get the history.
> >>
> >> As Tony mentioned, AppArmor was originally using the 1500-1599
> >> block. At some point (I couldn't find it in the list archives), it
> >> was said that AppArmor needs to use common_lsm_audit() which
> >> unconditionally uses AUDIT_AVC.
> >
> > I found the review that caused AppArmor to switch to the common LSM
> > audit function:
> >
> > https://lkml.org/lkml/2009/11/9/232
> >
> > That email is almost 5 years old and minds can change over that
> > time, but Eric seemed to be against adding new audit event types
> > for each LSM. Instead, he wanted a lsm=<LSM> pair to be included in
> > the message.
> >
> > AppArmor can accommodate either approach so I think Steve and Eric
> > ought to come to an agreement on what non-SELinux LSMs should do
> > when auditing.
> >
> > Tyler
> >
> >
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >
>
More information about the Linux-audit
mailing list