Re: [PATCH v4 2/2] selinux: add basic filtering for audit trace events
From: Paul Moore
Date: Fri Aug 21 2020 - 17:10:08 EST
On Fri, Aug 21, 2020 at 10:09 AM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
>
> From: Peter Enderborg <peter.enderborg@xxxxxxxx>
>
> This patch adds further attributes to the event. These attributes are
> helpful to understand the context of the message and can be used
> to filter the events.
>
> There are three common items. Source context, target context and tclass.
> There are also items from the outcome of operation performed.
>
> An event is similar to:
> <...>-1309 [002] .... 6346.691689: selinux_audited:
> requested=0x4000000 denied=0x4000000 audited=0x4000000
> result=-13
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file
>
> With systems where many denials are occurring, it is useful to apply a
> filter. The filtering is a set of logic that is inserted with
> the filter file. Example:
> echo "tclass==\"file\" " > events/avc/selinux_audited/filter
>
> This adds that we only get tclass=file.
>
> The trace can also have extra properties. Adding the user stack
> can be done with
> echo 1 > options/userstacktrace
>
> Now the output will be
> runcon-1365 [003] .... 6960.955530: selinux_audited:
> requested=0x4000000 denied=0x4000000 audited=0x4000000
> result=-13
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file
> runcon-1365 [003] .... 6960.955560: <user stack trace>
> => <00007f325b4ce45b>
> => <00005607093efa57>
>
> Signed-off-by: Peter Enderborg <peter.enderborg@xxxxxxxx>
> Reviewed-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> ---
> include/trace/events/avc.h | 36 ++++++++++++++++++++++++++----------
> security/selinux/avc.c | 28 +++++++++++++++-------------
> 2 files changed, 41 insertions(+), 23 deletions(-)
... also merged into selinux/next, thanks everyone!
--
paul moore
www.paul-moore.com