Re: [PATCH] selinux: remove AVC init audit log message
On Friday, July 28, 2017 3:23:31 AM EDT Richard Guy Briggs wrote:
In the process of normalizing audit log messages, it was noticed that
the
AVC initialization code registered an audit log KERNEL record that didn't
fit the standard format. In the process of attempting to normalize it it
was determined that this record was not even necessary. Remove it.
Actually, I'd probably go the other direction. I'd make it useful. How about a
AUDIT_MAC_INIT record that records, name of MAC framework, status (enabled/
disabled), and enforcing mode (enforcing/permissive). This way if there is an
investigation that needs to know the initial system state, we have that
information preserved. There might be one or two other tidbits people might
want to know like policy version or number of overrides (booleans) deviating
from policy baseline. But I'd say that's nice to have and not mandatory.
I'm pretty sure that was the intent of the event and its probably to satisfy
one of the FMT_MSA.3 common criteria requirements about initial subject/object
security attribute association.
-Steve
Ref: http://marc.info/?l=selinux&m=149614868525826&w=2
See: https://github.com/linux-audit/audit-kernel/issues/48
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/avc.c | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index e60c79d..4b42931 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -197,8 +197,6 @@ void __init avc_init(void)
avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data",
sizeof(struct extended_perms_data),
0, SLAB_PANIC, NULL);
-
- audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC
INITIALIZED\n"); }
int avc_get_hash_stats(char *page)