Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting
On Tuesday, November 22, 2016 2:47:15 PM EST Stephen Smalley wrote:
>> At present, we only generate AUDIT_MAC_STATUS,
AUDIT_MAC_LOAD, and
>> AUDIT_MAC_CONFIG_CHANGE on success (or at least partial success). If
>> you truly need to audit failures, then it seems like you either need to
>> a) do it through syscall audit filters, which already provide a success=
>> field
>
> I can't imagine what to audit on. There is an open syscall that has a
> path. But I suspect that does not fail because policy has not be written.
> There is a write syscall but triggering on that is pretty generic. This is
> not ideal.
Can't you write an audit syscall filter or watch on
/sys/fs/selinux/load? Ditto for /sys/fs/selinux/enforce,
/sys/fs/selinux/commit_pending_bools, etc.
Yes, you can. But this is for the open syscall. sel_write_load() is the
function where the auditing is done but its mapped to the .write member of
sel_load_ops. Auditing on write is not a good thing.
So, if AUDIT_MAC_POLICY_LOAD must only appear when there is success, then its
best to create a second event for failure and hard code the 'res' fields for
both.
-Steve