Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext
On Monday 26 September 2005 14:00, Steve Grubb wrote:
On Thursday 21 July 2005 11:48, Dustin Kirkland wrote:
> The attached patch contains functionality specified by the labeled
> security protection profile--basically appending object context and
> subject context labels to audit records.
Lets use the following audit message number ranges for the next round of
development:
1500 - 1599 kernel LSPP events
1600 - 1699 user space generated LSPP events
1700 - 1799 kernel crypto events
1800 - 1899 user space crypto events
1900 - 1999 future use (maybe integrity labels and related events)
Maybe I missed it... What's the 2000 - 2099 block reserved for again? I see
AUDIT_KERNEL at 2000, but I'm looking at an audit git tree that's not been
updated for over a month.
2100 - 2199 user space anomaly records
2200 - 2299 user space actions taken in response to anomalies
I'd also like to suggest that this patch collect 2 kinds of contexts, subject
and object. Subject being the context associated with the caller, object
being whatever system object that is being accessed. There can be more than
one object in the syscall. I'm undecided about whether they should be all in
1 record or each a separate record in the same event.
In terms of parsing, I'd imagine it'd be easiest if a subrecord had a static
format
(and in the case of a binary record, a fixed size) and could not grow arbitrarily
large. I vote to make them seperate subrecords which are then correlated using
a common token=value. In this case, something like: event=<this_event>??
This would mean taking
1500 as subject label and 1501 as object label.
-Steve
-tim
Attachments:
- attachment.html (text/html — 2.2 KB)