[RFC PATCH] New audit message for NetLabel static/fallback labels
Those of you who follow the SELinux and/or LSM mailing lists know there is work currently underway to provide static or fallback network peer labels for use when traditional labeled networking (CIPSO or Labeled IPsec) is not present. For the same reasons that NetLabel or Labeled IPsec configuration changes are considered auditable events, configuring the static/fallback labels should likely be treated as an auditable event as well. The patch below is part of a larger patchset which contains this new functionality which has already been posted many times to the SELinux and LSM lists. Those interested in the patchset are encouraged to look into the archives of those mailing lists or check out the git tree here: * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing I'm posting this patch to the audit list for comments/review as it contains all of the audit related changes and I'd like to sort out any issues the audit community may have sooner rather than later. Please take a few minutes to look over the changes, most importantly the new message types and either send me mail or preferably send mail straight to the audit list. For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface lo and address 127.0.0.0/8 type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * adding new fallback label using the default network interface and address 192.168.0.10 type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for network interface lo and address 127.0.0.0/8 type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for the defaul network interface and address 192.168.0.10 type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
Paul Moore wrote: Those of you who follow the SELinux and/or LSM mailing lists know there is work currently underway to provide static or fallback network peer labels for use when traditional labeled networking (CIPSO or Labeled IPsec) is not present. For the same reasons that NetLabel or Labeled IPsec configuration changes are considered auditable events, configuring the static/fallback labels should likely be treated as an auditable event as well. The patch below is part of a larger patchset which contains this new functionality which has already been posted many times to the SELinux and LSM lists. Those interested in the patchset are encouraged to look into the archives of those mailing lists or check out the git tree here: * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing I'm posting this patch to the audit list for comments/review as it contains all of the audit related changes and I'd like to sort out any issues the audit community may have sooner rather than later. Please take a few minutes to look over the changes, most importantly the new message types and either send me mail or preferably send mail straight to the audit list. For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface lo and address 127.0.0.0/8 type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 At the risk of being nit-picky, it seems like the convention for network addresses is either separate address and netmask fields, or the combined address/bits-in-netmask notation. For example, ifconfig (on ubuntu, anyway) uses the former for IPv4 and the later for IPv6 addresses. loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host These audit records separate the two values but use the bits-in-netmask instead of the netmask in dot notation, which seems inconsistent to me. Seems like the audit record above should either have an address of 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. -- ljk * adding new fallback label using the default network interface and address 192.168.0.10 type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for network interface lo and address 127.0.0.0/8 type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for the defaul network interface and address 192.168.0.10 type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
On Wednesday 21 November 2007 4:26:57 pm Paul Moore wrote: On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote: Paul Moore wrote: For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface lo and address 127.0.0.0/8 type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 At the risk of being nit-picky, it seems like the convention for network addresses is either separate address and netmask fields, or the combined address/bits-in-netmask notation. For example, ifconfig (on ubuntu, anyway) uses the former for IPv4 and the later for IPv6 addresses. loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host These audit records separate the two values but use the bits-in-netmask instead of the netmask in dot notation, which seems inconsistent to me. Seems like the audit record above should either have an address of 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. I agree in that I like seeing the netmask attached to the address, but when I posed the question earlier to the list there was concern that this would cause breakage in the tools. I just thought of something, would you be more comfortable if I changed the name from 'daddr_mask' to 'daddr_prefixlen'? The more I think about this, the more I like the idea of 'daddr_prefixlen', I'm going to go and make that change. Although I'm still unclear of how people would like to see the netmask information - part of the address or separate. For what it is worth I think we are going to need to augment the existing IPsec SPD audit messages to include this information as well (see my other mail). -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
