Those of you who follow the SELinux and/or LSM mailing lists know there is work currently underway to provide static or fallback network peer labels for use when traditional labeled networking (CIPSO or Labeled IPsec) is not present. For the same reasons that NetLabel or Labeled IPsec configuration changes are considered "auditable events", configuring the static/fallback labels should likely be treated as an auditable event as well.
The patch below is part of a larger patchset which contains this new functionality which has already been posted many times to the SELinux and LSM lists. Those interested in the patchset are encouraged to look into the archives of those mailing lists or check out the git tree here: * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing I'm posting this patch to the audit list for comments/review as it contains all of the audit related changes and I'd like to sort out any issues the audit community may have sooner rather than later. Please take a few minutes to look over the changes, most importantly the new message types and either send me mail or preferably send mail straight to the audit list. For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface "lo" and address "127.0.0.0/8" type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * adding new fallback label using the default network interface and address "192.168.0.10" type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for network interface "lo" and address "127.0.0.0/8" type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for the defaul network interface and address "192.168.0.10" type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit