Re: Access Vector Cache initialization audit message

2017-05-30 Thread Stephen Smalley 
On Mon, 2017-05-29 at 14:53 -0400, Richard Guy Briggs wrote:
> Hi, 
>   
> On kernel Access Vector Cache (AVC) initialization, there is an audit
> KERNEL 
> type message logged to announce this fact.
> 
> The general format of audit messages are label=value pair
> fields.  Steve Grubb 
> has been asking to have these records normalized by having a
> predictable set of 
> field labels present.
> 
> There already exists an audit KERNEL message giving audit state which
> has been 
> normalized thus:
> "state=initialized audit_enabled=%u res=1"
> 
> The AVC initialization audit message doesn't currently fit that
> format:
> "AVC INITIALIZED"
> 
> I'd created an issue to normalize the AVC initialization along these
> lines or 
> to have it move to a new message type and Paul Moore is questioning
> whether
> this message is required at all:
> https://github.com/linux-audit/audit-kernel/issues/48
> 
> Can this message simply be eliminated?

AFAICT, yes, you can just remove it.

Access Vector Cache initialization audit message

2017-05-29 Thread Richard Guy Briggs 
Hi, 
  
On kernel Access Vector Cache (AVC) initialization, there is an audit KERNEL 
type message logged to announce this fact.

The general format of audit messages are label=value pair fields.  Steve Grubb 
has been asking to have these records normalized by having a predictable set of 
field labels present.

There already exists an audit KERNEL message giving audit state which has been 
normalized thus:
"state=initialized audit_enabled=%u res=1"

The AVC initialization audit message doesn't currently fit that format:
"AVC INITIALIZED"

I'd created an issue to normalize the AVC initialization along these lines or 
to have it move to a new message type and Paul Moore is questioning whether
this message is required at all:
https://github.com/linux-audit/audit-kernel/issues/48

Can this message simply be eliminated?

Thanks!


- RGB

--
Richard Guy Briggs 
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635