| Message ID | ce5219eaed412cc02caef75934b8c3b40087db83.1501158372.git.rgb@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Fri, 2017-07-28 at 03:23 -0400, Richard Guy Briggs wrote: > In the process of normalizing audit log messages, it was noticed that > the AVC > initialization code registered an audit log KERNEL record that didn't > fit the > standard format. In the process of attempting to normalize it it was > determined that this record was not even necessary. Remove it. > > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > See: https://github.com/linux-audit/audit-kernel/issues/48 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/avc.c | 2 -- > 1 files changed, 0 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > index e60c79d..4b42931 100644 > --- a/security/selinux/avc.c > +++ b/security/selinux/avc.c > @@ -197,8 +197,6 @@ void __init avc_init(void) > avc_xperms_data_cachep = > kmem_cache_create("avc_xperms_data", > sizeof(struct > extended_perms_data), > 0, SLAB_PANIC, NULL); > - > - audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, > "AVC INITIALIZED\n"); > } > > int avc_get_hash_stats(char *page)
On Friday, July 28, 2017 3:23:31 AM EDT Richard Guy Briggs wrote: > In the process of normalizing audit log messages, it was noticed that the > AVC initialization code registered an audit log KERNEL record that didn't > fit the standard format. In the process of attempting to normalize it it > was determined that this record was not even necessary. Remove it. Actually, I'd probably go the other direction. I'd make it useful. How about a AUDIT_MAC_INIT record that records, name of MAC framework, status (enabled/ disabled), and enforcing mode (enforcing/permissive). This way if there is an investigation that needs to know the initial system state, we have that information preserved. There might be one or two other tidbits people might want to know like policy version or number of overrides (booleans) deviating from policy baseline. But I'd say that's nice to have and not mandatory. I'm pretty sure that was the intent of the event and its probably to satisfy one of the FMT_MSA.3 common criteria requirements about initial subject/object security attribute association. -Steve > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > See: https://github.com/linux-audit/audit-kernel/issues/48 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > security/selinux/avc.c | 2 -- > 1 files changed, 0 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > index e60c79d..4b42931 100644 > --- a/security/selinux/avc.c > +++ b/security/selinux/avc.c > @@ -197,8 +197,6 @@ void __init avc_init(void) > avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", > sizeof(struct extended_perms_data), > 0, SLAB_PANIC, NULL); > - > - audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC > INITIALIZED\n"); } > > int avc_get_hash_stats(char *page)
On Fri, 2017-07-28 at 09:11 -0400, Steve Grubb wrote: > On Friday, July 28, 2017 3:23:31 AM EDT Richard Guy Briggs wrote: > > In the process of normalizing audit log messages, it was noticed > > that the > > AVC initialization code registered an audit log KERNEL record that > > didn't > > fit the standard format. In the process of attempting to normalize > > it it > > was determined that this record was not even necessary. Remove it. > > Actually, I'd probably go the other direction. I'd make it useful. > How about a > AUDIT_MAC_INIT record that records, name of MAC framework, status > (enabled/ > disabled), and enforcing mode (enforcing/permissive). This way if > there is an > investigation that needs to know the initial system state, we have > that > information preserved. There might be one or two other tidbits people > might > want to know like policy version or number of overrides (booleans) > deviating > from policy baseline. But I'd say that's nice to have and not > mandatory. > > I'm pretty sure that was the intent of the event and its probably to > satisfy > one of the FMT_MSA.3 common criteria requirements about initial > subject/object > security attribute association. None of that is known in avc_init(). Aren't you already getting what you need from AUDIT_MAC_STATUS and AUDIT_MAC_POLICY_LOAD? > > -Steve > > > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > > See: https://github.com/linux-audit/audit-kernel/issues/48 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > security/selinux/avc.c | 2 -- > > 1 files changed, 0 insertions(+), 2 deletions(-) > > > > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > > index e60c79d..4b42931 100644 > > --- a/security/selinux/avc.c > > +++ b/security/selinux/avc.c > > @@ -197,8 +197,6 @@ void __init avc_init(void) > > avc_xperms_data_cachep = > > kmem_cache_create("avc_xperms_data", > > sizeof(struct > > extended_perms_data), > > 0, SLAB_PANIC, NULL); > > - > > - audit_log(current->audit_context, GFP_KERNEL, > > AUDIT_KERNEL, "AVC > > INITIALIZED\n"); } > > > > int avc_get_hash_stats(char *page) > >
On Friday, July 28, 2017 9:06:34 AM EDT Stephen Smalley wrote: > On Fri, 2017-07-28 at 03:23 -0400, Richard Guy Briggs wrote: > > In the process of normalizing audit log messages, it was noticed that > > the AVC > > initialization code registered an audit log KERNEL record that didn't > > fit the > > standard format. In the process of attempting to normalize it it was > > determined that this record was not even necessary. Remove it. > > > > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > > See: https://github.com/linux-audit/audit-kernel/issues/48 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Yeah, I guess it can be deleted. Acked-by: Steve Grubb <sgrubb@redhat.com> > > --- > > security/selinux/avc.c | 2 -- > > 1 files changed, 0 insertions(+), 2 deletions(-) > > > > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > > index e60c79d..4b42931 100644 > > --- a/security/selinux/avc.c > > +++ b/security/selinux/avc.c > > @@ -197,8 +197,6 @@ void __init avc_init(void) > > avc_xperms_data_cachep = > > kmem_cache_create("avc_xperms_data", > > sizeof(struct > > extended_perms_data), > > 0, SLAB_PANIC, NULL); > > - > > - audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, > > "AVC INITIALIZED\n"); > > } > > > > int avc_get_hash_stats(char *page)
On Fri, Jul 28, 2017 at 3:23 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > In the process of normalizing audit log messages, it was noticed that the AVC > initialization code registered an audit log KERNEL record that didn't fit the > standard format. In the process of attempting to normalize it it was > determined that this record was not even necessary. Remove it. > > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > See: https://github.com/linux-audit/audit-kernel/issues/48 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > security/selinux/avc.c | 2 -- > 1 files changed, 0 insertions(+), 2 deletions(-) Merged, thanks.
On 2017-07-28 18:47, Paul Moore wrote: > On Fri, Jul 28, 2017 at 3:23 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > > In the process of normalizing audit log messages, it was noticed that the AVC > > initialization code registered an audit log KERNEL record that didn't fit the > > standard format. In the process of attempting to normalize it it was > > determined that this record was not even necessary. Remove it. > > > > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > > See: https://github.com/linux-audit/audit-kernel/issues/48 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > security/selinux/avc.c | 2 -- > > 1 files changed, 0 insertions(+), 2 deletions(-) > > Merged, thanks. Where has this been merged? I'm not able to find it in linux-2.6, selinux/next or pcmoore-audit/next > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
On Wed, Aug 23, 2017 at 4:55 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > On 2017-07-28 18:47, Paul Moore wrote: >> On Fri, Jul 28, 2017 at 3:23 AM, Richard Guy Briggs <rgb@redhat.com> wrote: >> > In the process of normalizing audit log messages, it was noticed that the AVC >> > initialization code registered an audit log KERNEL record that didn't fit the >> > standard format. In the process of attempting to normalize it it was >> > determined that this record was not even necessary. Remove it. >> > >> > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 >> > See: https://github.com/linux-audit/audit-kernel/issues/48 >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> >> > --- >> > security/selinux/avc.c | 2 -- >> > 1 files changed, 0 insertions(+), 2 deletions(-) >> >> Merged, thanks. > > Where has this been merged? I'm not able to find it in linux-2.6, > selinux/next or pcmoore-audit/next I have no idea what you mean by pcmoore-audit/next, that isn't the official audit repository or a mirror, but it has been merged into the audit/next branch and is present in both the official audit repo on kernel.org as well as the https://github.com/linux-audit/audit-kernel mirror on GitHub. commit 739bde1f22292d76a179d4cbe29fc7bae86ef5e4 Author: Richard Guy Briggs <rgb@redhat.com> Date: Fri Jul 28 03:23:31 2017 -0400 selinux: remove AVC init audit log message In the process of normalizing audit log messages, it was noticed that the AVC initialization code registered an audit log KERNEL record that didn't fit the standard format. In the process of attempting to normalize it it was determined that this record was not even necessary. Remove it. Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 See: https://github.com/linux-audit/audit-kernel/issues/48 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
On 2017-08-23 08:41, Paul Moore wrote: > On Wed, Aug 23, 2017 at 4:55 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > > On 2017-07-28 18:47, Paul Moore wrote: > >> On Fri, Jul 28, 2017 at 3:23 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > >> > In the process of normalizing audit log messages, it was noticed that the AVC > >> > initialization code registered an audit log KERNEL record that didn't fit the > >> > standard format. In the process of attempting to normalize it it was > >> > determined that this record was not even necessary. Remove it. > >> > > >> > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > >> > See: https://github.com/linux-audit/audit-kernel/issues/48 > >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > >> > --- > >> > security/selinux/avc.c | 2 -- > >> > 1 files changed, 0 insertions(+), 2 deletions(-) > >> > >> Merged, thanks. > > > > Where has this been merged? I'm not able to find it in linux-2.6, > > selinux/next or pcmoore-audit/next > > I have no idea what you mean by pcmoore-audit/next, that isn't the > official audit repository or a mirror, but it has been merged into the > audit/next branch and is present in both the official audit repo on > kernel.org as well as the https://github.com/linux-audit/audit-kernel > mirror on GitHub. My bad. I forgot to update my git remote references from infradead...pcmoore/audit to kernel.org...pcmoore/audit I now see it is in pcmoore-audit/next and linux-next/master. Sorry for the noise. > commit 739bde1f22292d76a179d4cbe29fc7bae86ef5e4 > Author: Richard Guy Briggs <rgb@redhat.com> > Date: Fri Jul 28 03:23:31 2017 -0400 > > selinux: remove AVC init audit log message > > In the process of normalizing audit log messages, it was noticed that the AVC > initialization code registered an audit log KERNEL record that didn't fit the > standard format. In the process of attempting to normalize it it was > determined that this record was not even necessary. Remove it. > > Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 > See: https://github.com/linux-audit/audit-kernel/issues/48 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > Acked-by: Steve Grubb <sgrubb@redhat.com> > Signed-off-by: Paul Moore <paul@paul-moore.com> > > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e60c79d..4b42931 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -197,8 +197,6 @@ void __init avc_init(void) avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", sizeof(struct extended_perms_data), 0, SLAB_PANIC, NULL); - - audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); } int avc_get_hash_stats(char *page)
In the process of normalizing audit log messages, it was noticed that the AVC initialization code registered an audit log KERNEL record that didn't fit the standard format. In the process of attempting to normalize it it was determined that this record was not even necessary. Remove it. Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 See: https://github.com/linux-audit/audit-kernel/issues/48 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- security/selinux/avc.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-)