Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: [patch 1/1] SELinux AVC audit log ipaddr field support (for task_struct->curr_ip) Date: Thu, 10 Mar 2005 16:05:40 +0100
An example of the audit messages with ipaddr field: audit(1110432234.161:0): avc: denied { search } for pid=19057 exe=/usr/bin/wget name=portage dev=hda3 ino=1024647 ipaddr=192.168.1.30 scontext=root:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_tmp_t tclass=dir It's also available at http://pearls.tuxedo-es.org/patches/selinux-avc_audit-log-curr_ip.patch Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> --- linux-2.6.11-lorenzo/security/selinux/avc.c | 6 ++++++ 1 files changed, 6 insertions(+) diff -puN security/selinux/avc.c~selinux-avc_audit-log-curr_ip security/selinux/avc.c --- linux-2.6.11/security/selinux/avc.c~selinux-avc_audit-log-curr_ip 2005-03-10 15:52:12.810227040 +0100 +++ linux-2.6.11-lorenzo/security/selinux/avc.c 2005-03-10 15:52:12.817225976 +0100 @@ -205,6 +205,12 @@ void avc_dump_query(struct audit_buffer char *scontext; u32 scontext_len; +/* CONFIG_GRKERNSEC_PROC_IPADDR if grSecurity is present */From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: [patch 1/1] SELinux AVC audit log ipaddr field support (for task_struct->curr_ip) Date: Thu, 10 Mar 2005 10:16:49 -0500
Even if the basic idea were sound (doubtful), this would need to be generalized (i.e. not ipv4-specific). Also, I think I'd rather see extensions to the audit data be incorporated into the audit framework, not the AVC-specific audit code, and some of the existing avc_audit() code migrated into the audit framework (e.g. the exe= information currently generated by avc_audit could be done by audit_log_exit instead). -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |