search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

BUG: normalize the AUDIT_KERNEL AVC initialization record #48

Closed rgbriggs closed 7 years ago

rgbriggs commented 7 years ago

Currently, the AUDIT_KERNEL avc initialization message is:

Switch it to "state=avc_initialized" at minimum, but preferably bring it in line with commit 7c397d01e434 adding "audit_enabled" and "res" fields and if these don't make sense, consider creating a new message type.

This should be an unaccompanied record, so send a context of NULL.

pcmoore commented 7 years ago

Honestly, I'm not sure why this is an audit event, or any notice for that matter. This is just a policy cache, the real thing of interest is if SELinux is enabled, and if so what mode of operation, both of which are already audited.

I would suggest bringing this up on the SELinux mailing list.

rgbriggs commented 7 years ago

Raised on SELinux mailing list Access Vector Cache initialization audit message

rgbriggs commented 7 years ago

Stephen Smalley is fine with removal: http://marc.info/?l=selinux&m=149614868525826&w=2

rgbriggs commented 7 years ago

Post patch upstream: https://www.redhat.com/archives/linux-audit/2017-July/msg00097.html

rgbriggs commented 7 years ago

Post patch upstream: https://www.redhat.com/archives/linux-audit/2017-July/msg00097.html http://marc.info/?l=selinux&m=150122676512723&w=2

pcmoore commented 7 years ago

Merged via 739bde1f22292d76a179d4cbe29fc7bae86ef5e4. Closing this issue as this patch is a trivial one-liner, there is no associated test (writing one would be a waste of time), and I see no reason why this wouldn't go to Linus.