Received: by 10.192.165.156 with SMTP id m28csp1191791imm; Wed, 11 Apr 2018 14:15:12 -0700 (PDT) X-Google-Smtp-Source: AIpwx493qX1wi/DQKYDgY8jT1Nwwf0PAcEagYgPayDHpG8u3hAO5Y6BdAH3yjmMlxORnOkxfCYYc X-Received: by 10.98.127.144 with SMTP id a138mr3772905pfd.239.1523481312848; Wed, 11 Apr 2018 14:15:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523481312; cv=none; d=google.com; s=arc-20160816; b=KmzSrdQSP9WsUCj8/1CVEdADDqlZRJdBASmwPBtJGuMTsmw2DNXkqidg2gN/WC3bhx K+XTLX+nnS9AWBbTbPjA07p/UlZZPQkP2tinM+oAElMzTMy9jjj43e2ZeOwOdWXjGBwm YKrA/gA2fX2qyhhKuN6Bf8nr4X+xFCvCSuKyg5BL1tpIP1mJFjWOQPqRKt/TIV7dMyCu 46aK4lPATAYqX7e6uwuYZ9z11JdySu3OuDN/dvIQXlPHP/fokiBhENmKuikw9Z7dlzDK 23e0C/UJkvfGDzp9OwxoMm847ArUESNmKMaYWdkH7SMvo0Wr4XGuyBEevuXolWf58TVX 3LYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=9T7V/4teNqwyack44hfxwbjFGuKbV4LCiKn/YEYfWms=; b=GnahEZhn5D5VO65DnR9BbEXcnuTMFyKVO14mp1NVmKx0hwYReePnrkrJBpisdAeFfJ A+TnvGmjxuY8lg/OyFHycr9+gbKspLGMjcTwAhg830lQngk5t4vSUc8UxaLnYm/kLTHH 4xu/M+/KREVe8NeY9FSEGX/j7uvWOjsKrf5uhsAngM6fL7kHZAdsr1Kwfsl2oNUFV2kw 35HIwEk6Yu5dLJ4n2+d7tVE0NuMia4rifveOTcx3uF/keAix41ymq8XYd8t/wuEes22A +FRL577eaUX0ozjhEAJPdIj8YkZwFx2IpjDr6y0iPmVHT2wes91kLEN+pQx+4wBX65Co zoYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=lrTJculX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o69si1397465pfj.329.2018.04.11.14.14.35; Wed, 11 Apr 2018 14:15:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=lrTJculX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755575AbeDKVIj (ORCPT + 99 others); Wed, 11 Apr 2018 17:08:39 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:35881 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752406AbeDKVIg (ORCPT ); Wed, 11 Apr 2018 17:08:36 -0400 Received: by mail-lf0-f67.google.com with SMTP id d20-v6so4616724lfe.3 for ; Wed, 11 Apr 2018 14:08:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9T7V/4teNqwyack44hfxwbjFGuKbV4LCiKn/YEYfWms=; b=lrTJculXy2x68qvL2cM4sT7zLxg/TQb8MXoVpvxr/gAL2rIiJak8+9pkvsM0qk9NFb WJaCAc6nbHIRVsVAyZLvIQHuXrigV9UvSDeYfnoN4P1yuPOT5AV84cvseBcN6sO+Fjpe GVU5OifPk5VlSCdBjxmxzntlIcTwMJ1iOlNiuFDySS9sfoX3Chf+a6QkOIzYfAa2HFnf zItAT3Y95XFgxMDn77eIzAPeyOTR3IWrrxLHoPYUKywy0EHouZlkoLD5OuB0QFxM94lY qSUOHHAYzRQwvSHBEr1UD9fU3ReL5rDKxA6xBL9NcyWhZsdE7Kzu5de2rgFX16dPv0cc ftjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9T7V/4teNqwyack44hfxwbjFGuKbV4LCiKn/YEYfWms=; b=hno98IdsfW1/uNsmOPgF7+YFHIZD0JvKJHnaqFsfNB9o6y/Vt95dhDEwIlJ80P+KkV W5h/0j/GSWsi86woCy3d5+LkjeEJVe3Q1b2BLoBuclwSTMFTNKrli5OvV78GN8GoWTEj quCWL+j/Qd5rbPLp6l2w3xnS6w2y8lzxQJ+gJuWMQigtAFwwtklJvHDZtJRbwO3umwjI QjiixR0xuIqpPPxs3yvhriS72EQc7ltYeqZmgWEvzv1P4nYHSoZOzZ5FJnv0Vcev4qkO ZSCfCaVyqY/UiogChqbAO+lM40Jl4rmHO7elq+UEL1A1JETVy5AXLQ9oeEAbZrA7XHDA z7QA== X-Gm-Message-State: ALQs6tAwOyeHRRhi8rew0X0joYUF5vVZU6u+15Yta+J4UEOmSCSuKy2o /8ph2L4/fn6WFME+twK5XvQXqZ/fWqoZXa6QCIFx X-Received: by 10.46.134.25 with SMTP id a25mr3862420lji.87.1523480914805; Wed, 11 Apr 2018 14:08:34 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a5c3:0:0:0:0:0 with HTTP; Wed, 11 Apr 2018 14:08:34 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <6b939250a519668af109adf877d85ff018b217d7.1523316267.git.rgb@redhat.com> References: <6b939250a519668af109adf877d85ff018b217d7.1523316267.git.rgb@redhat.com> From: Paul Moore Date: Wed, 11 Apr 2018 17:08:34 -0400 Message-ID: Subject: Re: [PATCH ghak46 V1] audit: normalize MAC_STATUS record To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , SElinux list , Linux Security Module list , Eric Paris , Steve Grubb Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 9, 2018 at 7:34 PM, Richard Guy Briggs wrote: > There were two formats of the audit MAC_STATUS record, one of which was more > standard than the other. One listed enforcing status changes and the > other listed enabled status changes with a non-standard label. In > addition, the record was missing information about which LSM was > responsible and the operation's completion status. While this record is > only issued on success, the parser expects the res= field to be present. > > old enforcing/permissive: > type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1 > old enable/disable: > type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1 > > List both sets of status and old values and add the lsm= field and the > res= field. > > Here is the new format: > type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1 > > This record already accompanied a SYSCALL record. > > See: https://github.com/linux-audit/audit-kernel/issues/46 > Signed-off-by: Richard Guy Briggs > --- > security/selinux/selinuxfs.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c > index 00eed84..00b21b2 100644 > --- a/security/selinux/selinuxfs.c > +++ b/security/selinux/selinuxfs.c > @@ -145,10 +145,11 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, > if (length) > goto out; > audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, > - "enforcing=%d old_enforcing=%d auid=%u ses=%u", > + "enforcing=%d old_enforcing=%d auid=%u ses=%u" > + " enabled=%d old-enabled=%d lsm=selinux res=1", > new_value, selinux_enforcing, > from_kuid(&init_user_ns, audit_get_loginuid(current)), > - audit_get_sessionid(current)); > + audit_get_sessionid(current), selinux_enabled, selinux_enabled); This looks fine. > selinux_enforcing = new_value; > if (selinux_enforcing) > avc_ss_reset(0); > @@ -272,9 +273,11 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, > if (length) > goto out; > audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, > - "selinux=0 auid=%u ses=%u", > + "enforcing=%d old_enforcing=%d auid=%u ses=%u" > + " enabled=%d old-enabled=%d lsm=selinux res=1", > + selinux_enforcing, selinux_enforcing, > from_kuid(&init_user_ns, audit_get_loginuid(current)), > - audit_get_sessionid(current)); > + audit_get_sessionid(current), 0, 1); It needs to be said again that I'm opposed to changes like this: inserting new fields, removing fields, or otherwise changing the format in ways that aren't strictly the addition of new fields to the end of a record is a Bad Thing. However, there are exceptions (there are *always* exceptions), and this seems like a reasonable change that shouldn't negatively affect anyone. I'll merge this once the merge window comes to a close (we are going to need to base selinux/next on v4.17-rc1). > } > > length = count; > -- > 1.8.3.1 > -- paul moore www.paul-moore.com