New subject: [patch 1/1] SELinux AVC audit log ipaddr field support (for task_struct->curr_ip)

Thursday, 10 March 2005

On Thu, 2005-03-10 at 16:05 +0100, Lorenzo Hernández García-Hierro
wrote:
...
 Provides support for a new field ipaddr within the SELinux
 AVC audit log, relying in task_struct->curr_ip (ipv4 only)
 provided by the task-curr_ip or grSecurity patch to be applied
 before.It was first implemented by Joshua Brindle (a.k.a Method)
 from the Hardened Gentoo project.

 An example of the audit messages with ipaddr field:
 audit(1110432234.161:0): avc:  denied  { search } for  pid=19057
 exe=/usr/bin/wget name=portage dev=hda3 ino=1024647 ipaddr=192.168.1.30
 scontext=root:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_tmp_t
tclass=dir 
Even if the basic idea were sound (doubtful), this would need to be
generalized (i.e. not ipv4-specific).  Also, I think I'd rather see
extensions to the audit data be incorporated into the audit framework,
not the AVC-specific audit code, and some of the existing avc_audit()
code migrated into the audit framework (e.g. the exe= information
currently generated by avc_audit could be done by audit_log_exit
instead).

-- 
Stephen Smalley <sds(a)tycho.nsa.gov&gt;
National Security Agency

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [patch 1/1] SELinux AVC audit log ipaddr field support (for task_struct->curr_ip)