Excluding a script / process and its descendants from audit

Hi, Is it possible to exclude a script from triggering audit records? I know that one can exclude an executable via -a never,exit -F exe=/path/to/exe but I haven't been able to find a way to do the same for a script. Also, is there a way to have the exclusion applied to all child processes

Re: [PATCH v20 05/23] net: Prepare UDS for security module stacking

On Tue, Sep 8, 2020 at 8:21 PM John Johansen wrote: > > On 9/8/20 4:37 PM, Casey Schaufler wrote: > > On 9/8/2020 6:35 AM, Stephen Smalley wrote: > >> On Mon, Sep 7, 2020 at 9:28 PM Stephen Smalley > >> wrote: > >>> On Sat, Sep 5, 2020 at 3:07 PM John

Re: [PATCH v20 05/23] net: Prepare UDS for security module stacking

On Mon, Sep 7, 2020 at 9:28 PM Stephen Smalley wrote: > > On Sat, Sep 5, 2020 at 3:07 PM John Johansen > wrote: > > > > On 9/5/20 11:13 AM, Casey Schaufler wrote: > > > On 9/5/2020 6:25 AM, Paul Moore wrote: > > >> On Fri, Sep 4, 2020 at 7:58 PM Case

Re: [PATCH v20 05/23] net: Prepare UDS for security module stacking

On Sat, Sep 5, 2020 at 3:07 PM John Johansen wrote: > > On 9/5/20 11:13 AM, Casey Schaufler wrote: > > On 9/5/2020 6:25 AM, Paul Moore wrote: > >> On Fri, Sep 4, 2020 at 7:58 PM Casey Schaufler > >> wrote: > >>> On 9/4/2020 2:53 PM, Paul Moore wrote: > On Fri, Sep 4, 2020 at 5:35 PM Casey

Re: [PATCH v19 20/23] Audit: Add new record for multiple process LSM attributes

On 7/24/20 4:32 PM, Casey Schaufler wrote: Create a new audit record type to contain the subject information when there are multiple security modules that require such data. This record is linked with the same timestamp and serial number. The record is produced only in cases where there is more

Re: [PATCH v19 02/23] LSM: Create and manage the lsmblob data structure.

data is expanded to use an array of > security module data rather than a single instance. > Because IMA uses the audit rule functions it is > affected as well. > > Acked-by: Stephen Smalley > Acked-by: Paul Moore > Signed-off-by: Casey Schaufler With CONFIG_BPF_LSM=y: se

Re: [PATCH v2] semanage: handle getprotobyname() failure case

On Mon, Jun 22, 2020 at 8:22 AM Stephen Smalley wrote: > > On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley > wrote: > > > > On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen wrote: > > > > > > At least on Debian, /etc/protocols, which is used by > > &

Re: [PATCH v2] semanage: handle getprotobyname() failure case

On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley wrote: > > On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen wrote: > > > > At least on Debian, /etc/protocols, which is used by > > socket.getprotobyname() to resolve protocols to names, does not > > contain an entry

Re: [PATCH v2] semanage: handle getprotobyname() failure case

On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen wrote: > > At least on Debian, /etc/protocols, which is used by > socket.getprotobyname() to resolve protocols to names, does not > contain an entry for "ipv4". In that case, set the protocol number > used by audit logs for "ipv4" to a fixed value. To

Re: [PATCH v17 05/23] net: Prepare UDS for security module stacking

On Thu, May 14, 2020 at 7:25 PM Casey Schaufler wrote: > > Change the data used in UDS SO_PEERSEC processing from a > secid to a more general struct lsmblob. Update the > security_socket_getpeersec_dgram() interface to use the > lsmblob. There is a small amount of scaffolding code > that will

Re: [PATCH v17 20/23] Audit: Add a new record for multiple subject LSM attributes

On Thu, May 14, 2020 at 7:30 PM Casey Schaufler wrote: > > Create a new audit record type to contain the subject information > when there are multiple security modules that require such data. > This record is emitted before the other records for the event, but > is linked with the same timestamp

[RFC PATCH v2] security,lockdown,selinux: implement SELinux lockdown

"/proc/kcore access" scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023 tclass=lockdown permissive=0 Signed-off-by: Stephen Smalley --- include/linux/lsm_audit.h | 2 ++ include/linux/security.h| 2 ++

Re: [RFC PATCH] audit, security: allow LSMs to selectively enable audit collection

On 8/15/19 1:41 PM, Aaron Goidel wrote: Presently, there is no way for LSMs to enable collection of supplemental audit records such as path and inode information when a permission denial occurs. Provide a LSM hook to allow LSMs to selectively enable collection on a per-task basis, even if the

Re: [RFC PATCH v3] security, capability: pass object information to security_capable

On 8/15/19 6:32 PM, James Morris wrote: On Thu, 15 Aug 2019, Aaron Goidel wrote: In SELinux this new information is leveraged here to perform an additional inode based check for capabilities relevant to inodes. Since the inode provided to capable_wrt_inode_uidgid() is a const argument, this

Re: [RFC PATCH v2] security, capability: pass object information to security_capable

On 8/14/19 3:59 PM, Paul Moore wrote: On Tue, Aug 13, 2019 at 5:27 PM Richard Guy Briggs wrote: On 2019-08-13 11:01, Aaron Goidel wrote: On 8/8/19 12:30 PM, Paul Moore wrote: On Thu, Aug 1, 2019 at 10:43 AM Aaron Goidel wrote: From: Nicholas Franck At present security_capable does not

Re: [RFC PATCH] security, capability: pass object information to security_capable

On 7/12/19 1:50 PM, James Morris wrote: On Fri, 12 Jul 2019, Nicholas Franck wrote: + case LSM_AUDIT_DATA_CAP: { + const struct inode *inode; + + if (a->u.cap_struct.cad) { + switch (a->u.cap_struct.cad->type) { +

Re: [PATCH v5 15/23] LSM: Specify which LSM to display

On 7/9/19 5:18 PM, Casey Schaufler wrote: On 7/9/2019 11:12 AM, Stephen Smalley wrote: On 7/9/19 1:51 PM, Casey Schaufler wrote: On 7/9/2019 10:13 AM, Stephen Smalley wrote: On 7/3/19 5:25 PM, Casey Schaufler wrote: Create a new entry "display" in /proc/.../attr for controlling

Re: [PATCH v5 15/23] LSM: Specify which LSM to display

On 7/9/19 1:51 PM, Casey Schaufler wrote: On 7/9/2019 10:13 AM, Stephen Smalley wrote: On 7/3/19 5:25 PM, Casey Schaufler wrote: Create a new entry "display" in /proc/.../attr for controlling which LSM security information is displayed for a process. The name of an active LSM tha

Re: [PATCH v3 1/4] selinux: inline some AVC functions used only once

On 1/25/19 5:06 AM, Ondrej Mosnacek wrote: avc_dump_av() and avc_dump_query() are each used only in one place. Get rid of them and open code their contents in the call sites. Signed-off-by: Ondrej Mosnacek Reviewed-by: Stephen Smalley --- security/selinux/avc.c | 140

Re: [PATCH v3 3/4] selinux: remove some useless BUG_ONs

On 1/25/19 5:06 AM, Ondrej Mosnacek wrote: These BUG_ONs do not really protect from any catastrophic situation so there is no need to have them there. They are to catch bugs in callers that pass requested==0. That is always indicative of a bug in the caller (e.g. failed to correctly compute

Re: [PATCH v3 2/4] selinux: replace some BUG_ON()s with a WARN_ON()

On 1/25/19 5:06 AM, Ondrej Mosnacek wrote: We don't need to crash the machine in these cases. Let's just detect the buggy state early and error out with a warning. Signed-off-by: Ondrej Mosnacek Reviewed-by: Stephen Smalley --- security/selinux/avc.c | 5 +++-- 1 file changed, 3

Re: [PATCH v3 4/4] selinux: log invalid contexts in AVCs

Daniel Walsh Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683 Signed-off-by: Ondrej Mosnacek Reviewed-by: Stephen Smalley --- security/selinux/avc.c | 15 security/selinux/include/security.h | 3 +++ security/selinux/ss/services.c | 37

Re: [PATCH v2] selinux: log invalid contexts in AVCs

On 1/22/19 2:42 PM, Paul Moore wrote: On Mon, Jan 21, 2019 at 10:36 AM Ondrej Mosnacek wrote: In case a file has an invalid context set, in an AVC record generated upon access to such file, the target context is always reported as unlabeled. This patch adds new optional fields to the AVC

Re: [RFC PATCH] selinux: log invalid contexts in AVCs

On 1/18/19 5:04 AM, Ondrej Mosnacek wrote: In case a file has an invalid context set, in an AVC record generated upon access to such file, the target context is always reported as unlabeled. This patch adds new optional fields to the AVC record (slcon and tlcon) that report the actual context

Re: [PATCH] selinux: remove AVC init audit log message

On Fri, 2017-07-28 at 09:11 -0400, Steve Grubb wrote: > On Friday, July 28, 2017 3:23:31 AM EDT Richard Guy Briggs wrote: > > In the process of normalizing audit log messages, it was noticed > > that the > > AVC initialization code registered an audit log KERNEL record that > > didn't > > fit the

Re: [PATCH] selinux: remove AVC init audit log message

ng to normalize it it was > determined that this record was not even necessary.  Remove it. > > Ref: http://marc.info/?l=selinux=149614868525826=2 > See: https://github.com/linux-audit/audit-kernel/issues/48 > Signed-off-by: Richard Guy Briggs <r...@redhat.com> Acked-by:

Re: [PATCH 1/2] selinux: log errors when loading new policy

On Mon, 2016-12-19 at 15:19 +, Gary Tierney wrote: > On Mon, Dec 19, 2016 at 09:43:06AM -0500, Stephen Smalley wrote: > > > > On Sat, 2016-12-17 at 20:48 +, Gary Tierney wrote: > > > > > > Adds error and warning messages to the codepaths which can fa

Re: [PATCH 1/2] selinux: log errors when loading new policy

On Sat, 2016-12-17 at 20:48 +, Gary Tierney wrote: > Adds error and warning messages to the codepaths which can fail when > loading a new policy.  If a policy fails to load, an error message > will > be printed to dmesg with a description of what failed.  Previously if > there was an error

Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting

On 11/22/2016 09:28 AM, Steve Grubb wrote: > On Tuesday, November 22, 2016 8:56:57 AM EST Stephen Smalley wrote: >> On 11/21/2016 04:50 PM, Paul Moore wrote: >>> On Mon, Nov 21, 2016 at 12:30 PM, Steve Grubb <sgr...@redhat.com> wrote: >>>> The AUDIT_MAC

Re: [PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting

On 11/21/2016 04:50 PM, Paul Moore wrote: > On Mon, Nov 21, 2016 at 12:30 PM, Steve Grubb wrote: >> The AUDIT_MAC_POLICY_LOAD event has dangling text that means the same thing >> as the event type and is missing the uid and results field. The bigger issue >> is that in some

Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore <pmo...@redhat.com> wrote: > On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote: >> On 10/07/2015 07:08 PM, Paul Moore wrote: >> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c >> > index ef63d

Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls

On 10/09/2015 11:39 AM, Paul Moore wrote: On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote: On 10/07/2015 07:08 PM, Paul Moore wrote: +static int selinux_kdbus_init_inode(struct inode *inode, + const struct cred *creds) +{ + struct

Re: [RFC PATCH v3 3/5] lsm: add support for auditing kdbus service names

On 10/09/2015 12:25 PM, Steve Grubb wrote: On Friday, October 09, 2015 10:57:44 AM Stephen Smalley wrote: On 10/07/2015 07:08 PM, Paul Moore wrote: The kdbus service names will be recorded using 'service', similar to the existing dbus audit records. Signed-off-by: Paul Moore <

Re: [RFC PATCH v3 4/5] selinux: introduce kdbus names into the policy

On 10/07/2015 07:08 PM, Paul Moore wrote: SELinux treats kdbus service names as objects and therefore needs a mechanism to map service names to security labels. This patch adds support for loading kdbus name/label matches with the security policy. The patch supports service name prefix

Re: [RFC PATCH v3 1/5] kdbus: add creator credentials to the endpoints

On 10/07/2015 07:08 PM, Paul Moore wrote: In order to effectively enforce LSM based access controls we need to have more information about the kdbus endpoint creator than the uid/gid currently stored in the kdbus_node_type struct. This patch replaces the uid/gid values with a reference to the

Re: [RFC PATCH v3 3/5] lsm: add support for auditing kdbus service names

On 10/07/2015 07:08 PM, Paul Moore wrote: The kdbus service names will be recorded using 'service', similar to the existing dbus audit records. Signed-off-by: Paul Moore --- ChangeLog: - v3 * Ported to the 4.3-rc4 based kdbus tree - v2 * Initial draft ---

Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

the security label on a kdbusfs inode Signed-off-by: Paul Moore <pmo...@redhat.com> --- ChangeLog: - v3 * Ported to the 4.3-rc4 based kdbus tree - v2 * Implemented suggestions by Stephen Smalley * call security_kdbus_conn_new() sooner * reworked hook inside kdbus_conn_policy_ow

Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls

On 10/07/2015 07:08 PM, Paul Moore wrote: Add the SELinux access control implementation for the new kdbus LSM hooks using the new kdbus object class and the following permissions: [NOTE: permissions below are based on kdbus code from Aug 2015] * kdbus:impersonate Send a different

Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing

On 05/20/2015 04:21 PM, Steve Grubb wrote: On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote: On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: Add information about ioctl calls to the LSM audit data. Log the file path and command number. Signed-off-by: Jeff Vander Stoep

Re: [RFC][PATCH] selinux: Report result in avc messages

wrote: How about permitted rather then allowed. I think permitted is already in an AVC. Not sure where. On 04/29/2014 10:59 PM, Eric Paris wrote: On Tue, 2014-04-29 at 16:54 -0700, Stephen Smalley wrote: Requested for Android in order to distinguish denials that are not in fact breaking

Re: [RFC][PATCH] selinux: Report result in avc messages

Attached patch switches to reporting permissive=0|1 and only does it for avc: denied messages. On Wed, Apr 30, 2014 at 8:18 AM, Stephen Smalley stephen.smal...@gmail.com wrote: I could make it permissive=0 or permissive=1 if that is less confusing. It doesn't necessarily correspond

Re: [RFC][PATCH] selinux: Report result in avc messages

it to save bytes. They add up when you have 100's of thousands of events per day. -Steve Otherwise LGTM. From the Android camp, this will be very helpful. On Apr 30, 2014 8:43 AM, Stephen Smalley stephen.smal...@gmail.com wrote: Attached patch switches to reporting permissive=0|1

Re: [PATCH] audit: get comm using lock to avoid race in string printing

On 03/15/2014 07:29 PM, Richard Guy Briggs wrote: --- kernel/audit.c |5 ++--- kernel/auditsc.c |9 + 2 files changed, 7 insertions(+), 7 deletions(-) Doesn't this also need to be fixed (twice) in security/lsm_audit.c? diff --git a/kernel/audit.c b/kernel/audit.c index

Re: [RFC][PATCH v2 2/3] proc: Update get proc_pid_cmdline() to use mm.h helpers

On 01/13/2014 12:02 PM, William Roberts wrote: Re-factor proc_pid_cmdline() to use get_cmdline() helper from mm.h. Signed-off-by: William Roberts wrobe...@tresys.com Acked-by: Stephen Smalley s...@tycho.nsa.gov --- fs/proc/base.c | 36 ++-- 1 file

Re: [RFC][PATCH v2 1/3] mm: Create utility function for accessing a tasks commandline value

On 01/13/2014 12:02 PM, William Roberts wrote: introduce get_cmdline() for retreiving the value of a processes proc/self/cmdline value. Signed-off-by: William Roberts wrobe...@tresys.com Acked-by: Stephen Smalley s...@tycho.nsa.gov --- include/linux/mm.h |1 + mm/util.c

Re: [PATCH 1/3] mm: Create utility functions for accessing a tasks commandline value

On 12/02/2013 04:10 PM, William Roberts wrote: Add two new functions to mm.h: * copy_cmdline() * get_cmdline_length() Signed-off-by: William Roberts wrobe...@tresys.com --- include/linux/mm.h |7 +++ mm/util.c | 48 2

Re: [PATCH 2/3] proc: Update get proc_pid_cmdline() to use mm.h helpers

On 12/02/2013 04:10 PM, William Roberts wrote: Re-factor proc_pid_cmdline() to use get_cmdline_length() and copy_cmdline() helpers from mm.h Signed-off-by: William Roberts wrobe...@tresys.com --- fs/proc/base.c | 35 ++- 1 file changed, 10 insertions(+),

Re: [PATCH 1/3] mm: Create utility functions for accessing a tasks commandline value

On 12/13/2013 09:51 AM, William Roberts wrote: On Fri, Dec 13, 2013 at 9:12 AM, Stephen Smalley s...@tycho.nsa.gov wrote: Also, why not just get_task_mm(task) within the function rather than pass it in by the caller? Yes I was debating whether or not to drop the pointer checks... np WRT

Re: How do I figure out on what file dac_override is attempted?

On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote: Stephen Smalley: To get object information, you need to enable syscall auditing, and add a trivial syscall filter to turn on pathname collection by the audit subsystem. Thanks for that tip (all of you who gave it)! I now know

Re: How do I figure out on what file dac_override is attempted?

On Wed, 2010-01-20 at 14:23 -0500, Daniel J Walsh wrote: On 01/20/2010 11:15 AM, Joshua Brindle wrote: Stephen Smalley wrote: On Wed, 2010-01-20 at 10:12 -0500, Daniel J Walsh wrote: On 01/20/2010 08:51 AM, Stephen Smalley wrote: On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote

Re: How do I figure out on what file dac_override is attempted?

chroot is an example syscall filter. The filter doesn't need to have anything to do with your failing operation - it just turns on the machinery that will cause pathname collection so that when the AVC is generated, you will also get a SYSCALL record with the pathname info. -- Stephen Smalley

Re: How do I figure out on what file dac_override is attempted?

On Tue, 2010-01-19 at 10:06 -0500, Daniel J Walsh wrote: On 01/19/2010 09:52 AM, Stephen Smalley wrote: On Mon, 2010-01-18 at 22:05 +0100, Göran Uddeborg wrote: Here is another strange AVC I'm trying to understand. SETroubleshoot on one of my machines is telling me that SELinux

Re: [PATCH -v3] SELinux: Convert avc_audit to use lsm_audit.h

to the selinux_audit_data private space, once again to make it so that the patched version behaves like the unpatched. I've tested and confirmed that AVCs look the same before and after this patch. Signed-off-by: Thomas Liu t...@redhat.com Acked-by: Stephen Smalley s...@tycho.nsa.gov Looks like there is also

Re: [PATCH]Fix me add subj

want the code to work with either, you'd directly read /proc/pid/attr/current and display the resulting string. If you want to be SELinux-specific and include functionality like MLS label translation, you'd use getpidcon(3). -- Stephen Smalley National Security Agency -- Linux-audit mailing

Re: get_field_str() and interpret_field() bug with multi-word fields

, so as long as that remains text, audit2allow doesn't have to care what the raw format is). 2008/8/14, Stephen Smalley [EMAIL PROTECTED]: On Wed, 2008-08-13 at 13:25 -0300, Klaus Heinrich Kiwi wrote: On Wed, 2008-08-13 at 11:09 -0400, Eric Paris wrote: HAHAHA, kernel output xml? dream

Re: get_field_str() and interpret_field() bug with multi-word fields

compatibility both in kernel and in the userland, as we are not allowed to break existing userland with new kernel and we'd like new userland to still work on old kernels. Patches that meet those standards accepted. -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit

Re: [PATCH v4] selinux: support deferred mapping of contexts

On Wed, 2008-05-07 at 12:48 -0400, Steve Grubb wrote: On Wednesday 07 May 2008 11:29:36 Eric Paris wrote: On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley [EMAIL PROTECTED] wrote: On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote: I assume we do NOT want to use this variant

Re: [RFC][PATCH -v2] Smack: Integrate with Audit

, .release_secctx = smack_release_secctx, -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [RFC][PATCH -v2] Smack: Integrate with Audit

On Wed, 2008-03-12 at 08:40 -0700, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Wed, 2008-03-12 at 04:44 +0200, Ahmed S. Darwish wrote: Hi!, Setup the new Audit hooks for Smack. The AUDIT_SUBJ_USER and AUDIT_OBJ_USER SELinux flags are recycled

Re: [RFC] Obtaining PATH entry without audit userland

configured. Then, audit system doesn't collect pathname info due to the optimization to not collect information without syscall filters, and SELinux doesn't get the vfsmount (reliably) in selinux_inode_permission, so it cannot generate a path either. -- Stephen Smalley National Security Agency

Re: [RFC] Obtaining PATH entry without audit userland

. just the component name) when it has the (vfsmount, dentry) pair available in the LSM hook, which often isn't the case still. So we still depend on audit pathname collection to give us more information than just the component name on many permission checks. -- Stephen Smalley National Security

Re: [PATCH][RFC] V2 Remove SELinux dependencies from linux-audit via LSM

On Sun, 2007-08-05 at 17:03 -0700, Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] This patch interposes LSM interfaces between the audit system and SELinux. This helps make SELinux a cleaner LSM and clarifies the interfaces provided by the audit system. The audit system no

Re: [PATCH][RFC] V1 Remove SELinux dependencies from linux-audit via LSM

specific. Any problem with making the security_audit_rule interfaces use a void * ? The audit code appears to be accomodating. The struct is already opaque outside of the security module, so you can just rename it and implement your own version of the struct in your module. -- Stephen Smalley

Re: selinux_audit_set_callback

was a static function registered from an initcall in the same file where the function was defined. -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: denied error message

. -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audit, LSM, SELinux, and Smack

On Wed, 2007-07-25 at 13:19 -0700, Casey Schaufler wrote: I'm looking at getting audit into my Smack LSM module. Stephen Smalley has suggested, and I concur, that this may be the time to convert audit from using SELinux specific interfaces to LSM based interfaces. Before I start blasting

Re: Decoding arguments passed to system calls

=user_u:system_r:unconfined_t:s0 key=(null) type=AVC_PATH msg=audit(1183463480.620:6351): path=/etc/fstab -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: Decoding arguments passed to system calls

On Tue, 2007-07-03 at 07:57 -0400, Stephen Smalley wrote: On Tue, 2007-07-03 at 00:23 +0100, Matthew Booth wrote: On Tue, 2007-07-03 at 10:48 +1200, Darryl Dixon - Winterhouse Consulting wrote: Hi Matt, Thank you for your very thorough response. What you say about not being able

Re: audit-ptrace patch (untested)

On Mon, 2007-03-12 at 08:20 -0400, Alexander Viro wrote: OK, you've convinced me - I'm switching to selinux-specific ones in kernel/auditsc.c. Updated patch follows, should fix 228409 and 228384. Acked-by: Stephen Smalley [EMAIL PROTECTED] diff --git a/fs/proc/base.c b/fs/proc

Re: audit in /selinux directory

On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote: On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote: On Friday 09 March 2007 14:31, Camilo Y. Campo wrote: The cat command failed and audit is saying success. A bit strange for me. Could anybody clarify this point for me, please

Re: audit in /selinux directory

On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote: On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote: On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote: On Friday 09 March 2007 14:31, Camilo Y. Campo wrote: The cat command failed and audit is saying success. A bit

Re: audit-ptrace patch (untested)

be: security_release_secctx(ctx,len). @@ -1195,6 +1207,9 @@ void audit_syscall_exit(int valid, long return_code) } else { audit_free_names(context); audit_free_aux(context); + kfree(context-obj_ctx); And again. Otherwise, looks fine. -- Stephen Smalley National

Re: audit-ptrace patch (untested)

equivalents, selinux_get_task_sid and selinux_sid_to_string, already in use by audit] instead for such internal access to security contexts. -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [RFC] security_getprocattr() API idiocy

to saner API? Just switch to the saner API. audit_log_task_context) could be using selinux_get_task_sid() + selinux_sid_to_string() instead of security_getprocattr. -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo

Re: SELinux for auditing

is certainly legitimate use of them (although I understand your goal of centralizing audit configuration). -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] -v3 newrole auditing of failures due to user actions

is not that pretty, but the Makefile is configured with -Werror and a function which doesn't use its parameters causes warnings. Is there a better solution to this problem? Signed-off-by: Michael Thompson [EMAIL PROTECTED] Acked-by: Stephen Smalley [EMAIL PROTECTED] -- Stephen Smalley National Security

Re: audit 1.2.7 released

I think this is an existing problem, and not new to 1.2.7. SELinux userland code isn't supposed to assume any fixed max. libselinux does use an initial buffer size as a starting point when calling e.g. getxattr, but will resize the buffer to a larger size if necessary. -- Stephen Smalley

[patch 2/3] selinux: rename selinux_ctxid_to_string

Rename selinux_ctxid_to_string to selinux_sid_to_string to be consistent with other interfaces. Signed-off-by: Stephen Smalley [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] --- include/linux/selinux.h|8 kernel/audit.c | 14 +++--- kernel

Re: [patch] Full relabel audit event

in the linux-audit archives. -- Stephen Smalley National Security Agency -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit