Closed rgbriggs closed 5 years ago
pcmoore
commented
7 years ago This appears to be a duplicate of #27, but I'll keep this one since the description is cleaner. However, issue #27 brought up some additional points:
pcmoore
commented
7 years ago Also related to AUDIT_MAC_POLICY_LOAD: #62.
rgbriggs
commented
6 years ago From https://github.com/linux-audit/audit-kernel/issues/27 a preliminary patch was posted: https://www.redhat.com/archives/linux-audit/2016-November/msg00025.html
rgbriggs
commented
6 years ago Suggest new format of: "auid=%u ses=%u lsm=%s res=1". Policy version isn't readily available that I can tell.
pcmoore
commented
6 years ago From a SELinux perspective there is no policy "version" in the conventional sense. There is a policy format version, but that is really just about the binary policy syntax and not the actual policy semantics/content.
pcmoore
commented
6 years ago Another note, while I don't believe this would have any impact on these tools, we would need to verify that this change would not break the audit2allow and audit2why tools.
rgbriggs
commented
6 years ago Test with semodule -R followed by installing policycoreutils-python-utils:
ausearch -ts boot --raw -m mac_policy_load | audit2why
presents no issue.
rgbriggs
commented
6 years ago Posted patch upstream to linux-audit, lkml, lsm, selinux: https://www.redhat.com/archives/linux-audit/2018-April/msg00028.html https://lkml.org/lkml/2018/4/9/825
rgbriggs
commented
5 years ago Upstreamed in v4.18-rc1, released in v4.18
Currently the AUDIT_MAC_POLICY_LOAD record includes dangling keywords:
Switch "policy loaded" to "op=policy_load" or "op=load_policy".
Additionally, should auid= and ses= be dropped if this record is accompanied by a syscall record? If not, then should the context passed to audit_log() be NULL?