Unique audit record type ranges for individual LSMs
sgrubb at redhat.com
Mon Dec 11 15:44:22 UTC 2017
On Wednesday, December 6, 2017 1:47:43 PM EST Casey Schaufler wrote:
> > While it will be potentially painful to switch, the AppArmor project is
> > considering to use a unique range in order for audit-userspace to
> > support AppArmor audit records. IMHO, SMACK would be free to continue
> > using 1400-1499 as long as they don't need audit-userspace support and
> > SELinux would continue using 1400-1499.
> Aside from the comment that says 1400-1499 are for SELinux, and the three
> events (1400-1402) that are SELinux specific, the events really are general.
> Why not add the AppArmor specifics to the 1400 range? Give them a generic
> sounding name and you'll achieve consistency. Change the comment to say
> "Security Module use" instead of "SELinux use".
I really don't know what the status is for user space support on the other
LSMs. I couldn't tell you if the searching/reporting are broken or working
Additionally, there is auditctl which has very selinux specific field options
to audit on a variety of pieces of the labels. Does this make sense for other
LSMs? Do other LSMs have different needs? I really have no idea.
But one thing for sure...if we combine them all, I expect patches are needed
for user space. By separating them out by event number or some identifier like
lsm=, then we can have lsm specific fixups if necessary.
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive