[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Timothy R. Chavez
tinytim at us.ibm.com
Mon Sep 26 19:28:53 UTC 2005
On Monday 26 September 2005 14:00, Steve Grubb wrote:
> On Thursday 21 July 2005 11:48, Dustin Kirkland wrote:
> > The attached patch contains functionality specified by the labeled
> > security protection profile--basically appending object context and
> > subject context labels to audit records.
>
> Lets use the following audit message number ranges for the next round of
> development:
>
> 1500 - 1599 kernel LSPP events
> 1600 - 1699 user space generated LSPP events
> 1700 - 1799 kernel crypto events
> 1800 - 1899 user space crypto events
> 1900 - 1999 future use (maybe integrity labels and related events)
Maybe I missed it... What's the 2000 - 2099 block reserved for again? I see
AUDIT_KERNEL at 2000, but I'm looking at an audit git tree that's not been
updated for over a month.
> 2100 - 2199 user space anomaly records
> 2200 - 2299 user space actions taken in response to anomalies
>
>
> I'd also like to suggest that this patch collect 2 kinds of contexts, subject
> and object. Subject being the context associated with the caller, object
> being whatever system object that is being accessed. There can be more than
> one object in the syscall. I'm undecided about whether they should be all in
> 1 record or each a separate record in the same event.
In terms of parsing, I'd imagine it'd be easiest if a subrecord had a static format
(and in the case of a binary record, a fixed size) and could not grow arbitrarily
large. I vote to make them seperate subrecords which are then correlated using
a common token=value. In this case, something like: event=<this_event>??
> This would mean taking
> 1500 as subject label and 1501 as object label.
>
> -Steve
>
-tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050926/0f3a17ca/attachment.htm>
More information about the Linux-audit
mailing list