On 2014-05-29 11:01:38, Steve Grubb wrote: > On Thursday, May 29, 2014 10:31:52 AM Tyler Hicks wrote: > > On 2014-05-28 15:33:06, Tony Jones wrote: > > > This patch came from our L3 department. AppArmor LSM is logging using the > > > common_lsm_audit() call but the audit userspace parsing code expects to > > > see an SELinux tclass field. This patch doesn't address the lack of > > > support for AppArmor in "aureport --avc". Talking to Seth Arnold, > > > Canonical apparently has patches for this; if this is true perhaps they > > > can post for inclusion. > > Making the audit tools work with AppArmor generated events has been on > > my todo list for quite a while, but no patches exist. > > > > I'm surprised that this patch makes ausearch work correctly for AppArmor > > AVC events. The first thing that parse_avc() does is look for the > > "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't > > include that string, so an.avc_result and an.avc_perm would not be set, > > would they? > > I have a feeling a whole lot of testing is needed for apparmor, smack, > tomoyo, > or any other LSM besides SE Linux. (Maybe they work fine? I don't know.) > Ausearch/report, auparse, and auvirt would all need updating. I'd also > suggest > sending patches to the ausearch test suite so that it can verify correctness > of finding events.
Agreed. It felt to me like it would be a more work than just updating parse_avc() to gain full support for other LSMs. In addition, updating the ausearch test suite is a no-brainer so that you can easily test with non-SELinux events. With that said, I don't think these things should be prereqs for Tony's patch being merged. > One last area, perhaps the prelude plugin might need some updating as > well....but then again the prelude project kind of died any ways. I'm not really familiar with prelude, but I'll keep it in mind. Tyler > > -Steve > > > > > Based-on-work-by: William Preston <[email protected]> > > > Signed-off-by: Tony Jones <[email protected]> > > > > > > --- a/src/ausearch-parse.c 2014-05-21 14:45:22.000000000 +0200 > > > +++ b/src/ausearch-parse.c 2014-05-21 14:53:55.000000000 +0200 > > > @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea > > > > > > // Now get the class...its at the end, so we do things different > > > str = strstr(term, "tclass="); > > > > > > - if (str == NULL) { > > > - rc = 9; > > > - goto err; > > > + if (str) { > > > + str += 7; > > > + term = strchr(str, ' '); > > > + if (term) > > > + *term = 0; > > > + an.avc_class = strdup(str); > > > + if (term) > > > + *term = ' '; > > > > > > } > > > > > > - str += 7; > > > - term = strchr(str, ' '); > > > - if (term) > > > - *term = 0; > > > - an.avc_class = strdup(str); > > > - if (term) > > > - *term = ' '; > > > > > > if (audit_avc_init(s) == 0) { > > > > > > alist_append(s->avc, &an); > > > > > > -- > > > Linux-audit mailing list > > > [email protected] > > > https://www.redhat.com/mailman/listinfo/linux-audit >
signature.asc
Description: Digital signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
