Received: by 10.192.165.156 with SMTP id m28csp544615imm;
        Tue, 17 Apr 2018 15:00:29 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49mkIwIW07K7cfWIA9prNZOsKIEFfLy7izkTphIvosONYb8EGIUXCdQ3Ka+rT15UTi/FvqD
X-Received: by 2002:a17:902:b18c:: with SMTP id s12-v6mr3671362plr.178.1524002429272;
        Tue, 17 Apr 2018 15:00:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524002429; cv=none;
        d=google.com; s=arc-20160816;
        b=NXEFBLpnnHfi12gyBhxTpvG3DgmnVHW6nCFx2qKMHlTJKSoIzMVRkkj667rOwK4WD/
         6GFJ8vTziCSrjfXJult8xd0mjlHJMO3/Xgue4udxAARXZkDqPFVd2lbYxTCPyVPILhO3
         x/apSHt/h23TI/m4hu04h0U6cp3tZBk7chXWGYCXo0zvFyGA8OrC5yPlBBHlf6pXknQs
         j8wpUc+QswMzA6Y8rwxolOoOUcj/Gx5UZKUlCWx4k9Zt/f/qqaforar5nT9mtzgNqo/r
         bhz0ex/95qNEdpdV0rgF63FDsliGRv9I012mihQn21rFXKQbDw2Je99tOok8P100lmXc
         iYYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=+rA9HVdhz1wLGLGCnj954hq8GCSglq9cT2v72mbE3SI=;
        b=zj7dEtMNi2nlXd08CP6SuXD1OxjeTDeD3nO888fW1kSuUL1mBzk7QffEDjoO+k9Y/a
         V9ps7jG1AKhanzNvoeKxh8DFHQv9oPqzYtyxYO6JA8/Iea6Mc9jbko30v0f1V+vElcCX
         BlG/SyaJZOw5DP9LWlJkNbQGdYwD//uDQ9o8ZJU9XJqf8sGRZSH2v2vQiK0X+WYZGCFN
         xoD8byfTm8OfAXjL+j1vIzTuYPjiDAFWjnFYt2rIeFzVwSspnnl1l9YjYDGDLu7ivRaA
         mOqyHDTbXEUoexCMEd/YR1XFCNsS6eyeWreGxceYRCP1+dekwjeXn6eZIqVpFCvUNWvC
         X1YQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=A3qeFzbB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j3-v6si10257104pld.300.2018.04.17.15.00.14;
        Tue, 17 Apr 2018 15:00:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=A3qeFzbB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752941AbeDQV7L (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 17:59:11 -0400
Received: from mail-lf0-f68.google.com ([209.85.215.68]:36868 "EHLO
        mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752633AbeDQV7H (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 17:59:07 -0400
Received: by mail-lf0-f68.google.com with SMTP id b23-v6so10631200lfg.4
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 14:59:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=+rA9HVdhz1wLGLGCnj954hq8GCSglq9cT2v72mbE3SI=;
        b=A3qeFzbBc3rzMQBN/JcubSAhopkZ0+rloN9AYqPSjNp+mEpEzoyzQhgQyvx0M1D7z9
         iJpGf223UP+ohGGQJVHJVcq1haEqKrQYP5SLdEtUddgQMw+/wU4x9q0ABfCF/Btr7hvp
         D+RD41ifheFoRiSUJmZRrgQIKbszK0FTwny0NnQOmSEmtZqXUSt3WXsmVRYUGFxQ0fKd
         yYixA9Q0cP7L3z86SiELelXzm3z5a5XA/JCzBJxxFAv52lY1fuLb8w0pqmn0DIEOlOWY
         D4EJ91PaHD2BTU5UxB9JlwbHOBkinHexri4XNWght4pgbnrNu8xARjQbQtJcwkaVUUYq
         sF9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=+rA9HVdhz1wLGLGCnj954hq8GCSglq9cT2v72mbE3SI=;
        b=TwcxPNu2AqnBEhgnyNacymDq+f4502Mv5q9MTsLj7GBIu8la1nBvQ72RayKP3i5rHU
         WdhaaSxMQsztMMXAWLrGu9Ax8C6tH5pjRKHwbAQuYMY4dAVxaWLvBa63we15jQ+pY6Yb
         LooHdT8W8FVXEz5y9Ifik22pdskUk2eQIkGRJMrMBfut5YpCiyHlIUZE9ZiCXjZS+FTz
         YkDqQNJMcfyuXuprspUEbT4MqwUuXQR1WcFvDXRfI1aHsVfZqkkoJpHGKD3euIjMrhp6
         2OkRsJwnS5Rmq9DqXOI/Ph3NgMaXANWdcrPDqTg+sbNCDLmMrJz9bMY/ineUb1crPfZV
         6tUg==
X-Gm-Message-State: ALQs6tBrxJenjL6b7KBwDjRkrKk8DT6bmlLyHfjBbsGYTAP5XH+dwTTz
        FFj50fabo6wAOUJrgyCszNC7ZBUOW4mHHKGvrk0e
X-Received: by 10.46.157.210 with SMTP id x18mr882531ljj.135.1524002346029;
 Tue, 17 Apr 2018 14:59:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:a5c3:0:0:0:0:0 with HTTP; Tue, 17 Apr 2018 14:59:05
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <CAHC9VhQzt4-f5zYkh18NWcp0HALXNR3iB+jeGOPkxdZZx8SdLQ@mail.gmail.com>
References: <6b939250a519668af109adf877d85ff018b217d7.1523316267.git.rgb@redhat.com>
 <CAHC9VhQzt4-f5zYkh18NWcp0HALXNR3iB+jeGOPkxdZZx8SdLQ@mail.gmail.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Tue, 17 Apr 2018 17:59:05 -0400
Message-ID: <CAHC9VhTJN0bR73ZUrPY8=wSHBYdrszQXaxBNUfxweuMDGevgcA@mail.gmail.com>
Subject: Re: [PATCH ghak46 V1] audit: normalize MAC_STATUS record
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        SElinux list <selinux@tycho.nsa.gov>,
        Linux Security Module list 
        <linux-security-module@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>, Steve Grubb <sgrubb@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 11, 2018 at 5:08 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Apr 9, 2018 at 7:34 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> There were two formats of the audit MAC_STATUS record, one of which was more
>> standard than the other.  One listed enforcing status changes and the
>> other listed enabled status changes with a non-standard label.  In
>> addition, the record was missing information about which LSM was
>> responsible and the operation's completion status.  While this record is
>> only issued on success, the parser expects the res= field to be present.
>>
>> old enforcing/permissive:
>> type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1
>> old enable/disable:
>> type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1
>>
>> List both sets of status and old values and add the lsm= field and the
>> res= field.
>>
>> Here is the new format:
>> type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1
>>
>> This record already accompanied a SYSCALL record.
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/46
>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> ---
>>  security/selinux/selinuxfs.c | 11 +++++++----
>>  1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
>> index 00eed84..00b21b2 100644
>> --- a/security/selinux/selinuxfs.c
>> +++ b/security/selinux/selinuxfs.c
>> @@ -145,10 +145,11 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
>>                 if (length)
>>                         goto out;
>>                 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
>> -                       "enforcing=%d old_enforcing=%d auid=%u ses=%u",
>> +                       "enforcing=%d old_enforcing=%d auid=%u ses=%u"
>> +                       " enabled=%d old-enabled=%d lsm=selinux res=1",
>>                         new_value, selinux_enforcing,
>>                         from_kuid(&init_user_ns, audit_get_loginuid(current)),
>> -                       audit_get_sessionid(current));
>> +                       audit_get_sessionid(current), selinux_enabled, selinux_enabled);
>
> This looks fine.
>
>>                 selinux_enforcing = new_value;
>>                 if (selinux_enforcing)
>>                         avc_ss_reset(0);
>> @@ -272,9 +273,11 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
>>                 if (length)
>>                         goto out;
>>                 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
>> -                       "selinux=0 auid=%u ses=%u",
>> +                       "enforcing=%d old_enforcing=%d auid=%u ses=%u"
>> +                       " enabled=%d old-enabled=%d lsm=selinux res=1",
>> +                       selinux_enforcing, selinux_enforcing,
>>                         from_kuid(&init_user_ns, audit_get_loginuid(current)),
>> -                       audit_get_sessionid(current));
>> +                       audit_get_sessionid(current), 0, 1);
>
> It needs to be said again that I'm opposed to changes like this:
> inserting new fields, removing fields, or otherwise changing the
> format in ways that aren't strictly the addition of new fields to the
> end of a record is a Bad Thing.  However, there are exceptions (there
> are *always* exceptions), and this seems like a reasonable change that
> shouldn't negatively affect anyone.
>
> I'll merge this once the merge window comes to a close (we are going
> to need to base selinux/next on v4.17-rc1).

Merged into selinux/next, although I should mention that there were
some actual code changes because of the SELinux state consolidation
patches that went into v4.17.  The changes were small but please take
a look and make sure everything still looks okay to you.

>>         }
>>
>>         length = count;
>> --
>> 1.8.3.1

-- 
paul moore
www.paul-moore.com