7:32 a.m.
On Tuesday 08 November 2005 10:32, Steve Grubb wrote:
I think we need to add some SE Linux kernel message types for audit
into
the kernel and start patching the kernel to report these messages -
including the information of previous value and new value.
Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
9:40 a.m.
On Sat, 2005-12-03 at 08:32 -0500, Steve Grubb wrote:
On Tuesday 08 November 2005 10:32, Steve Grubb wrote:
> I think we need to add some SE Linux kernel message types for audit into
> the kernel and start patching the kernel to report these messages -
> including the information of previous value and new value.
Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.14.orig/security/selinux/selinuxfs.c
linux-2.6.14/security/selinux/selinuxfs.c
--- linux-2.6.14.orig/security/selinux/selinuxfs.c 2005-12-02 15:05:39.000000000 -0500
+++ linux-2.6.14/security/selinux/selinuxfs.c 2005-12-02 15:06:27.000000000 -0500
@@ -174,6 +179,9 @@ static ssize_t sel_write_disable(struct
if (new_value) {
length = selinux_disable();
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "selinux=0 auid=%u",
+ audit_get_loginuid(current->audit_context));
if (length < 0)
goto out;
}
Note that selinux_disable() could fail (if policy has previously been
loaded or SELinux was already disabled), so it seems like you want this
audit_log call moved after the check.
diff -urp linux-2.6.14.orig/security/selinux/ss/services.c
linux-2.6.14/security/selinux/ss/services.c
--- linux-2.6.14.orig/security/selinux/ss/services.c 2005-12-02 15:05:39.000000000 -0500
+++ linux-2.6.14/security/selinux/ss/services.c 2005-12-02 15:08:31.000000000 -0500
@@ -1760,6 +1760,15 @@ int security_set_bools(int len, int *val
printk(KERN_INFO "security: committed booleans { ");
for (i = 0; i < len; i++) {
+ if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
+ audit_log(current->audit_context, GFP_ATOMIC,
+ AUDIT_MAC_CONFIG_CHANGE,
+ "bool=%s val=%d old_val=%d auid=%u",
+ policydb.p_bool_val_to_name[i],
+ !!values[i],
+ policydb.bool_val_to_struct[i]->state,
+ audit_get_loginuid(current->audit_context));
+ }
if (values[i]) {
policydb.bool_val_to_struct[i]->state = 1;
} else {
This interleaves the audit_log calls with the existing printk calls, which
could be unpleasant e.g. if no auditd is running. Offhand, I'd suggest
just dropping the printk statements from this function given your new audit_log
call. We may also want to look at moving this logging out of
POLICY_WRLOCK, only keeping the actual state update within the lock.
--
Stephen Smalley
National Security Agency
1:53 p.m.
On Monday 05 December 2005 10:40, Stephen Smalley wrote:
Note that selinux_disable() could fail (if policy has previously
been
loaded or SELinux was already disabled), so it seems like you want this
audit_log call moved after the check.
Done
Offhand, I'd suggest just dropping the printk statements from
this function
given your new audit_log call
Done
Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
--- linux-2.6.14.orig/include/linux/audit.h 2005-12-06 12:45:15.000000000 -0500
+++ linux-2.6.14/include/linux/audit.h 2005-12-06 13:19:01.000000000 -0500
@@ -83,6 +83,9 @@
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
+#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
+#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
+#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
diff -urp linux-2.6.14.orig/security/selinux/selinuxfs.c
linux-2.6.14/security/selinux/selinuxfs.c
--- linux-2.6.14.orig/security/selinux/selinuxfs.c 2005-12-06 12:45:23.000000000
-0500
+++ linux-2.6.14/security/selinux/selinuxfs.c 2005-12-06 13:24:27.000000000 -0500
@@ -23,6 +23,7 @@
#include <linux/percpu.h>
#include <asm/uaccess.h>
#include <asm/semaphore.h>
+#include <linux/audit.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "enforcing=%d old_enforcing=%d auid=%u", new_value,
+ selinux_enforcing,
+ audit_get_loginuid(current->audit_context));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct
length = selinux_disable();
if (length < 0)
goto out;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "selinux=0 auid=%u",
+ audit_get_loginuid(current->audit_context));
}
length = count;
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct fil
length = ret;
else
length = count;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
+ "policy loaded auid=%u",
+ audit_get_loginuid(current->audit_context));
out:
up(&sel_sem);
vfree(data);
diff -urp linux-2.6.14.orig/security/selinux/ss/services.c
linux-2.6.14/security/selinux/ss/services.c
--- linux-2.6.14.orig/security/selinux/ss/services.c 2005-12-06 12:45:23.000000000
-0500
+++ linux-2.6.14/security/selinux/ss/services.c 2005-12-06 13:26:45.000000000 -0500
@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *val
goto out;
}
- printk(KERN_INFO "security: committed booleans { ");
for (i = 0; i < len; i++) {
+ if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
+ audit_log(current->audit_context, GFP_ATOMIC,
+ AUDIT_MAC_CONFIG_CHANGE,
+ "bool=%s val=%d old_val=%d auid=%u",
+ policydb.p_bool_val_to_name[i],
+ !!values[i],
+ policydb.bool_val_to_struct[i]->state,
+ audit_get_loginuid(current->audit_context));
+ }
if (values[i]) {
policydb.bool_val_to_struct[i]->state = 1;
} else {
policydb.bool_val_to_struct[i]->state = 0;
}
- if (i != 0)
- printk(", ");
- printk("%s:%d", policydb.p_bool_val_to_name[i],
- policydb.bool_val_to_struct[i]->state);
}
- printk(" }\n");
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
rc = evaluate_cond_node(&policydb, cur);
3:58 p.m.
New subject: [redhat-lspp] [Patch] SE Linux audit events
On Sat, 3 Dec 2005, Steve Grubb wrote:
On Tuesday 08 November 2005 10:32, Steve Grubb wrote:
> I think we need to add some SE Linux kernel message types for audit into
> the kernel and start patching the kernel to report these messages -
> including the information of previous value and new value.
Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
Please include patches inline so they can be reviewed inline.
--
James Morris
<jmorris(a)redhat.com>
6956
days inactive
6959
days old
linux-audit@lists.linux-audit.osci.io
3 comments
3 participants
participants (3)
-
James Morris -
Stephen Smalley -
Steve Grubb