[redhat-lspp] SE Linux audit events

Stephen Smalley sds at tycho.nsa.gov
Tue Nov 8 15:38:59 UTC 2005 

On Tue, 2005-11-08 at 10:32 -0500, Steve Grubb wrote:
> Hi,
> 
> I think we need to start talking about adding audit events for SE Linux. If I 
> do this: "echo "0" > /selinux/enforcing" I get this record:
> 
> type=SYSCALL msg=audit(11/08/05 09:43:57.306:66) : arch=x86_64 syscall=write 
> success=yes exit=2 a0=1 a1=2aaaadfab000 a2=2 a3=ffffffff items=0 pid=2385 
> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root 
> sgid=root fsgid=root comm=bash exe=/bin/bash 
> subj=root:system_r:unconfined_t:s0-s0:c0.c255
> type=AVC msg=audit(11/08/05 09:43:57.306:66) : avc:  granted  { setenforce } 
> for  pid=2385 comm=bash scontext=root:system_r:unconfined_t:s0-s0:c0.c255 
> tcontext=system_u:object_r:security_t:s0 tclass=security
> 
> This is inadequate since you don't know if a 1 or 0 went into the kernel. It 
> is also an AVC message which makes it blend in with the other 60,000 avc 
> messages I have on my system.

I don't think the latter is an issue, as you can easily search for it by
permission.  The former (logging the particular value) is more
legitimate, and could be added as auxiliary audit data for the avc
audit. 

> I think we need to add some SE Linux kernel message types for audit into the 
> kernel and start patching the kernel to report these messages - including the 
> information of previous value and new value.
> 
> The events I think we need are:
> 
> MAC_POLICY_LOAD - This event would designate policy loads

Already handled by auditallow rules on load_policy permission.  As
above, I don't see a need for a distinct audit type when we have a
distinct permission.

> MAC_STATUS - This event would indicate a change in enforcing, permissive, or 
> off.

This is just setenforce with auxiliary audit data; just need to add a
field to avc_audit_data for the value and modify the caller to pass one
of these structs down to the avc_has_perm call.

> MAC_CONFIG_CHANGE - This would indicate a change to booleans.

These are logged presently by security_set_bools via printk, but need to
be converted over to using the audit system.  More generally, there are
a number of legacy printks in SELinux that could potentially be
converted to using the audit system, although we don't want to do that
blindly.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list