[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Tony Jones
tonyj at suse.de
Tue Jun 24 00:06:55 UTC 2014
On 06/06/2014 02:10 PM, Tyler Hicks wrote:
> [Added Eric to cc]
You didn't actually add Eric to the Cc: Adding him.
>
> On 2014-06-06 13:46:48, Tyler Hicks wrote:
>> On 2014-05-30 17:00:04, Steve Grubb wrote:
>>> On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
>>>> On 2014-05-30 15:53:49, Steve Grubb wrote:
>>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
>>>>>> This patch came from our L3 department. AppArmor LSM is logging using
>>>>>> the
>>>>>> common_lsm_audit() call but the audit userspace parsing code expects to
>>>>>> see
>>>>>> an SELinux tclass field. This patch doesn't address the lack of support
>>>>>> for
>>>>>> AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical
>>>>>> apparently
>>>>>> has patches for this; if this is true perhaps they can post for
>>>>>> inclusion.
>>>>>>
>>>>>> Based-on-work-by: William Preston <wpreston at suse.com>
>>>>>> Signed-off-by: Tony Jones <tonyj at suse.de>
>>>>>
>>>>> I was looking at this patch and was wondering something. Does AppArmor
>>>>> produce AUDIT_AVC events?
>>>>
>>>> It does. Here's an odd ball that I picked out of my audit log:
>>>
>>> Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so that this
>>> problem would never happen.
>>>
>>> libaudit.h:
>>> #define AUDIT_FIRST_SELINUX 1400
>>> #define AUDIT_LAST_SELINUX 1499
>>> #define AUDIT_FIRST_APPARMOR 1500
>>> #define AUDIT_LAST_APPARMOR 1599
>>
>> I wasn't involved with AppArmor when it was going through upstream
>> acceptance reviews, but I've asked around to get the history.
>>
>> As Tony mentioned, AppArmor was originally using the 1500-1599 block. At
>> some point (I couldn't find it in the list archives), it was said that
>> AppArmor needs to use common_lsm_audit() which unconditionally uses
>> AUDIT_AVC.
>
> I found the review that caused AppArmor to switch to the common LSM
> audit function:
>
> https://lkml.org/lkml/2009/11/9/232
>
> That email is almost 5 years old and minds can change over that time,
> but Eric seemed to be against adding new audit event types for each LSM.
> Instead, he wanted a lsm=<LSM> pair to be included in the message.
>
> AppArmor can accommodate either approach so I think Steve and Eric ought
> to come to an agreement on what non-SELinux LSMs should do when
> auditing.
>
> Tyler
>
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list