[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Tyler Hicks
tyhicks at canonical.com
Fri Jun 6 21:10:51 UTC 2014
[Added Eric to cc]
On 2014-06-06 13:46:48, Tyler Hicks wrote:
> On 2014-05-30 17:00:04, Steve Grubb wrote:
> > On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
> > > On 2014-05-30 15:53:49, Steve Grubb wrote:
> > > > On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
> > > > > This patch came from our L3 department. AppArmor LSM is logging using
> > > > > the
> > > > > common_lsm_audit() call but the audit userspace parsing code expects to
> > > > > see
> > > > > an SELinux tclass field. This patch doesn't address the lack of support
> > > > > for
> > > > > AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical
> > > > > apparently
> > > > > has patches for this; if this is true perhaps they can post for
> > > > > inclusion.
> > > > >
> > > > > Based-on-work-by: William Preston <wpreston at suse.com>
> > > > > Signed-off-by: Tony Jones <tonyj at suse.de>
> > > >
> > > > I was looking at this patch and was wondering something. Does AppArmor
> > > > produce AUDIT_AVC events?
> > >
> > > It does. Here's an odd ball that I picked out of my audit log:
> >
> > Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so that this
> > problem would never happen.
> >
> > libaudit.h:
> > #define AUDIT_FIRST_SELINUX 1400
> > #define AUDIT_LAST_SELINUX 1499
> > #define AUDIT_FIRST_APPARMOR 1500
> > #define AUDIT_LAST_APPARMOR 1599
>
> I wasn't involved with AppArmor when it was going through upstream
> acceptance reviews, but I've asked around to get the history.
>
> As Tony mentioned, AppArmor was originally using the 1500-1599 block. At
> some point (I couldn't find it in the list archives), it was said that
> AppArmor needs to use common_lsm_audit() which unconditionally uses
> AUDIT_AVC.
I found the review that caused AppArmor to switch to the common LSM
audit function:
https://lkml.org/lkml/2009/11/9/232
That email is almost 5 years old and minds can change over that time,
but Eric seemed to be against adding new audit event types for each LSM.
Instead, he wanted a lsm=<LSM> pair to be included in the message.
AppArmor can accommodate either approach so I think Steve and Eric ought
to come to an agreement on what non-SELinux LSMs should do when
auditing.
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140606/7645b1fe/attachment.sig>
More information about the Linux-audit
mailing list