Re: Improve init/Kconfig help descriptions [PATCH 4/9]

2008-02-20 Thread Nick Andrew 
On Tue, Feb 19, 2008 at 10:42:10PM -0500, [EMAIL PROTECTED] wrote:
> On Wed, 20 Feb 2008 01:38:55 +1100, Nick Andrew said:
> > + AVC refers to Access Vector Cache, a subsystem used by SELinux
> > + to improve performance of the security checking by caching
> > + previous access decisions.
> 
> This paragraph can be dropped, as the reasons that SELinux denial messages
> are tagged with 'avc' are mostly historical.   If you want to expand on 
> anything
> in here, explain that 'AVC' messages are interesting because they indicate
> some sort of security rule denial.

Ok, if AVC is incidental then I don't need to mention it, and so don't
need to define the acronym.

> So - if you don't enable auditing,
> your security messages end up in the kernel syslog.  If you enable auditing,
> they end up in the audit logs.  Explaining *that* clearly would be a lot
> more useful than explaining what avc originally stood for.. ;)

How about this. I tried to explain what happens to audit messages.

bool "Auditing support"
depends on NET
help
- Enable auditing infrastructure that can be used with another
- kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output).  Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ Enable an auditing infrastructure that can be used with another
+ kernel subsystem, such as Security-Enhanced Linux (SELinux),
+ which requires this option for logging of security related
+ messages.
+
+ With this option, the kernel can use netlink to pass audit
+ messages to an audit daemon process. Otherwise, audit messages
+ are logged to syslog.
+
+ See  for more information
+ on Security-Enhanced Linux.
+
+ CONFIG_AUDITSYSCALL (see below) is also required for
+ system-call auditing.
+
+ If unsure, say N.

I'm puzzled about "end up in the kernel syslog". Looking at 
include/linux/audit.h
it seems that they go nowhere:

#ifdef CONFIG_AUDIT
  [...]
#else
#define audit_log(c,g,t,f,...) do { ; } while (0)
#define audit_log_start(c,g,t) ({ NULL; })
#define audit_log_vformat(b,f,a) do { ; } while (0)
#define audit_log_format(b,f,...) do { ; } while (0)
#define audit_log_end(b) do { ; } while (0)
#define audit_log_hex(a,b,l) do { ; } while (0)
#define audit_log_untrustedstring(a,s) do { ; } while (0)
#define audit_log_n_untrustedstring(a,n,s) do { ; } while (0)
#define audit_log_d_path(b, p, d) do { ; } while (0)
#define audit_enabled 0
#endif

So it looks like if CONFIG_AUDIT is not defined then audit messages are
ignored. Syslog is used by kernel/audit.c when there is an audit
failure, which seems to be mainly if the userspace audit daemon is not
running.

Nick.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Improve init/Kconfig help descriptions [PATCH 4/9]

2008-02-20 Thread Nick Andrew 
On Tue, Feb 19, 2008 at 10:42:10PM -0500, [EMAIL PROTECTED] wrote:
 On Wed, 20 Feb 2008 01:38:55 +1100, Nick Andrew said:
  + AVC refers to Access Vector Cache, a subsystem used by SELinux
  + to improve performance of the security checking by caching
  + previous access decisions.
 
 This paragraph can be dropped, as the reasons that SELinux denial messages
 are tagged with 'avc' are mostly historical.   If you want to expand on 
 anything
 in here, explain that 'AVC' messages are interesting because they indicate
 some sort of security rule denial.

Ok, if AVC is incidental then I don't need to mention it, and so don't
need to define the acronym.

 So - if you don't enable auditing,
 your security messages end up in the kernel syslog.  If you enable auditing,
 they end up in the audit logs.  Explaining *that* clearly would be a lot
 more useful than explaining what avc originally stood for.. ;)

How about this. I tried to explain what happens to audit messages.

bool Auditing support
depends on NET
help
- Enable auditing infrastructure that can be used with another
- kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output).  Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ Enable an auditing infrastructure that can be used with another
+ kernel subsystem, such as Security-Enhanced Linux (SELinux),
+ which requires this option for logging of security related
+ messages.
+
+ With this option, the kernel can use netlink to pass audit
+ messages to an audit daemon process. Otherwise, audit messages
+ are logged to syslog.
+
+ See http://www.nsa.gov/selinux/ for more information
+ on Security-Enhanced Linux.
+
+ CONFIG_AUDITSYSCALL (see below) is also required for
+ system-call auditing.
+
+ If unsure, say N.

I'm puzzled about end up in the kernel syslog. Looking at 
include/linux/audit.h
it seems that they go nowhere:

#ifdef CONFIG_AUDIT
  [...]
#else
#define audit_log(c,g,t,f,...) do { ; } while (0)
#define audit_log_start(c,g,t) ({ NULL; })
#define audit_log_vformat(b,f,a) do { ; } while (0)
#define audit_log_format(b,f,...) do { ; } while (0)
#define audit_log_end(b) do { ; } while (0)
#define audit_log_hex(a,b,l) do { ; } while (0)
#define audit_log_untrustedstring(a,s) do { ; } while (0)
#define audit_log_n_untrustedstring(a,n,s) do { ; } while (0)
#define audit_log_d_path(b, p, d) do { ; } while (0)
#define audit_enabled 0
#endif

So it looks like if CONFIG_AUDIT is not defined then audit messages are
ignored. Syslog is used by kernel/audit.c when there is an audit
failure, which seems to be mainly if the userspace audit daemon is not
running.

Nick.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Improve init/Kconfig help descriptions [PATCH 4/9]

2008-02-19 Thread Valdis . Kletnieks 
On Wed, 20 Feb 2008 01:38:55 +1100, Nick Andrew said:

> +   Enable an auditing infrastructure that can be used with another
> +   kernel subsystem, such as Security-Enhanced Linux (SELinux),
> +   which requires this option for logging of AVC messages output.
> +
> +   AVC refers to Access Vector Cache, a subsystem used by SELinux
> +   to improve performance of the security checking by caching
> +   previous access decisions.

This paragraph can be dropped, as the reasons that SELinux denial messages
are tagged with 'avc' are mostly historical.   If you want to expand on anything
in here, explain that 'AVC' messages are interesting because they indicate
some sort of security rule denial.  So - if you don't enable auditing,
your security messages end up in the kernel syslog.  If you enable auditing,
they end up in the audit logs.  Explaining *that* clearly would be a lot
more useful than explaining what avc originally stood for.. ;)


pgpfqLD9e6x5N.pgp
Description: PGP signature

Re: Improve init/Kconfig help descriptions [PATCH 4/9]

2008-02-19 Thread Valdis . Kletnieks 
On Wed, 20 Feb 2008 01:38:55 +1100, Nick Andrew said:

 +   Enable an auditing infrastructure that can be used with another
 +   kernel subsystem, such as Security-Enhanced Linux (SELinux),
 +   which requires this option for logging of AVC messages output.
 +
 +   AVC refers to Access Vector Cache, a subsystem used by SELinux
 +   to improve performance of the security checking by caching
 +   previous access decisions.

This paragraph can be dropped, as the reasons that SELinux denial messages
are tagged with 'avc' are mostly historical.   If you want to expand on anything
in here, explain that 'AVC' messages are interesting because they indicate
some sort of security rule denial.  So - if you don't enable auditing,
your security messages end up in the kernel syslog.  If you enable auditing,
they end up in the audit logs.  Explaining *that* clearly would be a lot
more useful than explaining what avc originally stood for.. ;)


pgpfqLD9e6x5N.pgp
Description: PGP signature