On 11/2/2020 2:08 PM, Richard Guy Briggs wrote: > On 2020-11-02 13:54, Casey Schaufler wrote: >> Verify that there are subj= and obj= fields in a record >> if and only if they are expected. A system without a security >> module that provides these fields should not include them. >> A system with multiple security modules providing these fields >> (e.g. SELinux and AppArmor) should always provide "?" for the >> data and also include a AUDIT_MAC_TASK_CONTEXTS or >> AUDIT_MAC_OBJ_CONTEXTS record. The test uses the LSM list from >> /sys/kernel/security/lsm to determine which format is expected. >> >> Signed-off-by: Casey Schaufler <ca...@schaufler-ca.com> >> --- >> tests/Makefile | 1 + >> tests/multiple_contexts/Makefile | 12 +++ >> tests/multiple_contexts/test | 166 +++++++++++++++++++++++++++++++ >> 3 files changed, 179 insertions(+) >> create mode 100644 tests/multiple_contexts/Makefile >> create mode 100755 tests/multiple_contexts/test >> >> diff --git a/tests/Makefile b/tests/Makefile >> index a7f242a..f20f6b1 100644 >> --- a/tests/Makefile >> +++ b/tests/Makefile >> @@ -18,6 +18,7 @@ TESTS := \ >> file_create \ >> file_delete \ >> file_rename \ >> + multiple_contexts \ > "context" is a bit ambiguous. Could this be named something to indicate > a security context rather than any other sort, such as audit or user > context?
Would "subj_obj_fields" be better? -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
