[RFC PATCH] New audit message for NetLabel static/fallback labels

Paul Moore paul.moore at hp.com
Wed Nov 21 21:37:43 UTC 2007 

On Wednesday 21 November 2007 4:26:57 pm Paul Moore wrote:
> On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote:
> > Paul Moore wrote:
> > > For reference, here are four examples of the new message types pulled
> > > from a Fedora Rawhide machine running this patch:
> > >
> > >  * adding new fallback label using network interface "lo" and
> > >    address "127.0.0.0/8"
> > >
> > >    type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \
> > >     auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \
> > >     netif=lo daddr=127.0.0.0 daddr_mask=8 \
> > >     sec_obj=system_u:object_r:unlabeled_t:s0 res=1
> >
> > At the risk of being nit-picky, it seems like the convention for network
> > addresses is either separate address and netmask fields, or the combined
> > address/bits-in-netmask notation.  For example, ifconfig (on ubuntu,
> > anyway) uses the former for IPv4 and the later for IPv6 addresses.
> >
> > lo        Link encap:Local Loopback
> >           inet addr:127.0.0.1  Mask:255.0.0.0
> >           inet6 addr: ::1/128 Scope:Host
> >
> > These audit records separate the two values but use the bits-in-netmask
> > instead of the netmask in dot notation, which seems inconsistent to me.
> > Seems like the audit record above should either have an address of
> > 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0.
>
> I agree in that I like seeing the netmask attached to the address, but when
> I posed the question earlier to the list there was concern that this would
> cause breakage in the tools.  I just thought of something, would you be
> more comfortable if I changed the name from 'daddr_mask' to
> 'daddr_prefixlen'?

The more I think about this, the more I like the idea of 'daddr_prefixlen', 
I'm going to go and make that change.  Although I'm still unclear of how 
people would like to see the netmask information - part of the address or 
separate.

For what it is worth I think we are going to need to augment the existing 
IPsec SPD audit messages to include this information as well (see my other 
mail).

-- 
paul moore
linux security @ hp

More information about the Linux-audit mailing list