[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Debora Velarde
dvelarde at us.ibm.com
Thu Jul 28 18:34:58 UTC 2005
linux-audit-bounces at redhat.com wrote on 07/22/2005 11:20:32 AM:
> On Thu, 2005-07-21 at 10:48 -0500, Dustin Kirkland wrote:
> > The attached patch contains functionality specified by the labeled
> > security protection profile--basically appending object context and
> > subject context labels to audit records.
>
> Here's a few examples of how the new audit messages look. Notice the
> "ocontext" and "scontext" fields appended to the end of the record.
>
> Eventually, the audit FVT test cases would need to change slightly to
> account for the additional information.
>
> But in a private conversation with David Woodhouse, he spoke of creating
> a newly branched GIT tree containing post-RHEL4u2 changes--of which this
> should be one. This functionality is *not* required for CAPP. Rather,
> we're proactively working this upstream now in anticipation of LSPP.
>
> :-Dustin
>
>
>
> ----
> # cat /var/log/audit/audit.log | grep context | tail
>
> type=SYSCALL msg=audit(1121807986.280:1091967): arch=40000003 syscall=5
> success=yes exit=3 a0=d618c2 a1=8000 a2=0 a3=8000 items=1 pid=2816
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="id" exe="/usr/bin/id" scontext=system_u:system_r:initrc_t
>
> type=PATH msg=audit(1121807986.280:1091967): item=0
> name="/proc/self/attr/current" flags=101 inode=184549398 dev=00:03
> mode=0100666 ouid=0 ogid=0 rdev=00:00
> ocontext=system_u:system_r:initrc_t
>
> type=SYSCALL msg=audit(1121807986.280:1092004): arch=40000003 syscall=5
> success=yes exit=3 a0=80f81f0 a1=8000 a2=0 a3=8000 items=1 pid=2810
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="K87auditd" exe="/bin/bash" scontext=system_u:system_r:initrc_t
>
> type=PATH msg=audit(1121807986.280:1092004): item=0
> name="/etc/sysconfig/auditd" flags=101 inode=245774 dev=03:02
> mode=0100640 ouid=0 ogid=0 rdev=00:00 ocontext=system_u:object_r:etc_t
>
> type=SYSCALL msg=audit(1121807986.284:1092061): arch=40000003 syscall=5
> success=yes exit=3 a0=81113a0 a1=8000 a2=0 a3=8000 items=1 pid=2810
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="K87auditd" exe="/bin/bash" scontext=system_u:system_r:initrc_t
>
> type=PATH msg=audit(1121807986.284:1092061): item=0
> name="/var/run/auditd.pid" flags=101 inode=2113716 dev=03:02
> mode=0100644 ouid=0 ogid=0 rdev=00:00
> ocontext=root:object_r:auditd_var_run_t
>
> type=SYSCALL msg=audit(1121807986.284:1092099): arch=40000003 syscall=5
> success=yes exit=3 a0=8111c48 a1=8241 a2=1b6 a3=8241 items=1 pid=2810
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="K87auditd" exe="/bin/bash" scontext=system_u:system_r:initrc_t
>
> type=PATH msg=audit(1121807986.284:1092099): item=0 name="/dev/null"
> flags=310 inode=506 dev=00:0f mode=040755 ouid=0 ogid=0 rdev=00:00
> ocontext=system_u:object_r:device_t
>
The audit record changes are okay as long as they are made post RHEL4 U2.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050728/db827354/attachment.htm>
More information about the Linux-audit
mailing list