Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
I'm fine if other LSMs would like to use their own record type. Makes
sense.
-Eric
On Mon, 23 Jun 2014 17:06:55 -0700
Tony Jones <tonyj(a)suse.de> wrote:
On 06/06/2014 02:10 PM, Tyler Hicks wrote:
> [Added Eric to cc]
You didn't actually add Eric to the Cc: Adding him.
>
> On 2014-06-06 13:46:48, Tyler Hicks wrote:
>> On 2014-05-30 17:00:04, Steve Grubb wrote:
>>> On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
>>>> On 2014-05-30 15:53:49, Steve Grubb wrote:
>>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
>>>>>> This patch came from our L3 department. AppArmor LSM is
>>>>>> logging using the
>>>>>> common_lsm_audit() call but the audit userspace parsing code
>>>>>> expects to see
>>>>>> an SELinux tclass field. This patch doesn't address the
lack
>>>>>> of support for
>>>>>> AppArmor in "aureport --avc". Talking to Seth
Arnold,
>>>>>> Canonical apparently
>>>>>> has patches for this; if this is true perhaps they can post for
>>>>>> inclusion.
>>>>>>
>>>>>> Based-on-work-by: William Preston <wpreston(a)suse.com>
>>>>>> Signed-off-by: Tony Jones <tonyj(a)suse.de>
>>>>>
>>>>> I was looking at this patch and was wondering something. Does
>>>>> AppArmor produce AUDIT_AVC events?
>>>>
>>>> It does. Here's an odd ball that I picked out of my audit log:
>>>
>>> Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so
>>> that this problem would never happen.
>>>
>>> libaudit.h:
>>> #define AUDIT_FIRST_SELINUX 1400
>>> #define AUDIT_LAST_SELINUX 1499
>>> #define AUDIT_FIRST_APPARMOR 1500
>>> #define AUDIT_LAST_APPARMOR 1599
>>
>> I wasn't involved with AppArmor when it was going through upstream
>> acceptance reviews, but I've asked around to get the history.
>>
>> As Tony mentioned, AppArmor was originally using the 1500-1599
>> block. At some point (I couldn't find it in the list archives), it
>> was said that AppArmor needs to use common_lsm_audit() which
>> unconditionally uses AUDIT_AVC.
>
> I found the review that caused AppArmor to switch to the common LSM
> audit function:
>
> https://lkml.org/lkml/2009/11/9/232
>
> That email is almost 5 years old and minds can change over that
> time, but Eric seemed to be against adding new audit event types
> for each LSM. Instead, he wanted a lsm=<LSM> pair to be included in
> the message.
>
> AppArmor can accommodate either approach so I think Steve and Eric
> ought to come to an agreement on what non-SELinux LSMs should do
> when auditing.
>
> Tyler
>
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>