Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [RFC][PATCH] collect security labels on user processes generating audit messages
From: Steve Grubb <sgrubb_at_redhat.com>
Date: Thu, 16 Feb 2006 09:56:19 -0500
OK, I chased this down to make sure of what is happening. The audit working group has a test kernel, lspp.8, that has all the future audit and lspp patches in it for testing. (it can be found at http://people.redhat.com/sgrubb/files/lspp). There is a patch linux-2.6-audit-git.patch, which is not upstream, but should be in the next kernel. That changes the code in audit_log_exit of auditsc.c to: if (context->names[i].name) audit_log_untrustedstring(ab, context->names[i].name); else audit_log_format(ab, "(null)"); The code in audit_log_untrustedstring does this: while (*p) { if (*p == '"' || *p == '(' || *p < 0x21 || *p > 0x7f) { audit_log_hex(ab, string, strlen(string)); return; } p++; } audit_log_format(ab, "\"%s\"", string); This means that a real NULL will never have the double-quote marks around it, where a file named \(null\) will always have double-quote marks around it. I confirmed this by looking in the audit logs. However...ausearch does not make this distinction in its output. I will see what I can do to make the necessary adjustments to ausearch so that its more obvious. So, I think that puts this issue to bed... -Steve -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 16 Feb 2006 - 09:56:02 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |