Closed rgbriggs closed 5 years ago
This appears to be a duplicate of #27, but I'll keep this one since the description is cleaner. However, issue #27 brought up some additional points:
Also related to AUDIT_MAC_POLICY_LOAD: #62.
From https://github.com/linux-audit/audit-kernel/issues/27 a preliminary patch was posted: https://www.redhat.com/archives/linux-audit/2016-November/msg00025.html
Suggest new format of: "auid=%u ses=%u lsm=%s res=1". Policy version isn't readily available that I can tell.
From a SELinux perspective there is no policy "version" in the conventional sense. There is a policy format version, but that is really just about the binary policy syntax and not the actual policy semantics/content.
Another note, while I don't believe this would have any impact on these tools, we would need to verify that this change would not break the audit2allow
and audit2why
tools.
Test with semodule -R
followed by installing policycoreutils-python-utils
:
ausearch -ts boot --raw -m mac_policy_load | audit2why
presents no issue.
Posted patch upstream to linux-audit, lkml, lsm, selinux: https://www.redhat.com/archives/linux-audit/2018-April/msg00028.html https://lkml.org/lkml/2018/4/9/825
Upstreamed in v4.18-rc1, released in v4.18
Currently the AUDIT_MAC_POLICY_LOAD record includes dangling keywords:
Switch "policy loaded" to "op=policy_load" or "op=load_policy".
Additionally, should auid= and ses= be dropped if this record is accompanied by a syscall record? If not, then should the context passed to audit_log() be NULL?