Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions

Finally, since you probably haven't followed all of the discussion around associating records into a single event, I wanted to give you my side of the story (if you don't care, you can simply skip the rest of this email). Currently an audit "event" can consist of multiple audit "records"; these records can contain PATH information, SYSCALL information, SELinux AVC information, as well as INTEGRITY_PCR information. The current kernel code does a poor job of associating some of these record types, which can make a single user action look like multiple audit events. For example, a single user action/event (writing a new IMA policy) could result in multiple audit "events" because the SYSCALL record for the write() syscall is not associated with the INTEGRITY_POLICY_RULE record; this is bogus because the write syscall is inherently linked with the IMA policy update. Keeping the records as separate audit "events" is not only conceptually odd, it is misleading.