I'm fine if other LSMs would like to use their own record type. Makes sense.
-Eric On Mon, 23 Jun 2014 17:06:55 -0700 Tony Jones <[email protected]> wrote: > On 06/06/2014 02:10 PM, Tyler Hicks wrote: > > [Added Eric to cc] > > You didn't actually add Eric to the Cc: Adding him. > > > > > On 2014-06-06 13:46:48, Tyler Hicks wrote: > >> On 2014-05-30 17:00:04, Steve Grubb wrote: > >>> On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote: > >>>> On 2014-05-30 15:53:49, Steve Grubb wrote: > >>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote: > >>>>>> This patch came from our L3 department. AppArmor LSM is > >>>>>> logging using the > >>>>>> common_lsm_audit() call but the audit userspace parsing code > >>>>>> expects to see > >>>>>> an SELinux tclass field. This patch doesn't address the lack > >>>>>> of support for > >>>>>> AppArmor in "aureport --avc". Talking to Seth Arnold, > >>>>>> Canonical apparently > >>>>>> has patches for this; if this is true perhaps they can post for > >>>>>> inclusion. > >>>>>> > >>>>>> Based-on-work-by: William Preston <[email protected]> > >>>>>> Signed-off-by: Tony Jones <[email protected]> > >>>>> > >>>>> I was looking at this patch and was wondering something. Does > >>>>> AppArmor produce AUDIT_AVC events? > >>>> > >>>> It does. Here's an odd ball that I picked out of my audit log: > >>> > >>> Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so > >>> that this problem would never happen. > >>> > >>> libaudit.h: > >>> #define AUDIT_FIRST_SELINUX 1400 > >>> #define AUDIT_LAST_SELINUX 1499 > >>> #define AUDIT_FIRST_APPARMOR 1500 > >>> #define AUDIT_LAST_APPARMOR 1599 > >> > >> I wasn't involved with AppArmor when it was going through upstream > >> acceptance reviews, but I've asked around to get the history. > >> > >> As Tony mentioned, AppArmor was originally using the 1500-1599 > >> block. At some point (I couldn't find it in the list archives), it > >> was said that AppArmor needs to use common_lsm_audit() which > >> unconditionally uses AUDIT_AVC. > > > > I found the review that caused AppArmor to switch to the common LSM > > audit function: > > > > https://lkml.org/lkml/2009/11/9/232 > > > > That email is almost 5 years old and minds can change over that > > time, but Eric seemed to be against adding new audit event types > > for each LSM. Instead, he wanted a lsm=<LSM> pair to be included in > > the message. > > > > AppArmor can accommodate either approach so I think Steve and Eric > > ought to come to an agreement on what non-SELinux LSMs should do > > when auditing. > > > > Tyler > > > > > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit > > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
