Le 06/12/17 à 18:51, Tyler Hicks a écrit :
If so, does everyone agree that 1500-1599 would be acceptable for
AppArmor to use?
FTR, the apparmor usespace library seems to support the 15xx range for
quite sometimes already, I see the following commit in the git repository:
commit a6a88a4dd7ec9fd59b01c27f8cd40f653386107b
Author: Steve Beattie <st...@nxnw.org>
Date: Fri Sep 14 14:00:48 2007 +0000
This patch adds support to the logparsing library for the type=15xx
flags when events come through the audit subsystem. It also fixes the
case where the audit daemon has not been configured with apparmor
support and the events are reported as type=UNKNOWN[15xx].
It also fixes the testsuite dependencies so that they will get relinked
when the library changes.
This commits contains the following used id's:
+/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
+ * guarantee these will exist there. */
+#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */
+#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */
+#define AUDIT_APPARMOR_DENIED 1503
+#define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */
+#define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */
+#define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */
+
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
