Based on some feedback from Steve Grubb, Stephan Mueller, and others (unfortunately most of it on some non-public lists), I'm proposing the following patches to enhance my earlier audits for device cgroup ACLs. Pre-patch, cgroup audits looked like: type=VIRT_RESOURCE msg=audit(1298068194.479:83142): user pid=23863 uid=0 auid=500 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=deny vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 item=all: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1298068194.480:83143): user pid=23863 uid=0 auid=500 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 item=major type="pty": exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1298068194.480:83145): user pid=23863 uid=0 auid=500 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 item=file path="/dev/null": exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' Post-patch, the same three audits are modified to include cgroup controller, rdev information for files, major device number for categories, and better names so as not to collide with well-known audit field names (for example, audit libraries expect item= to match a decimal integer, so I used class= instead). type=VIRT_RESOURCE msg=audit(1299541864.111:78295): user pid=30632 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=deny vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 cgroup="/cgroup/devices/libvirt/qemu/fedora_12/" class=all: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1299541864.112:78296): user pid=30632 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 cgroup="/cgroup/devices/libvirt/qemu/fedora_12/" class=major category=pty maj=88: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1299541864.112:78297): user pid=30632 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 cgroup="/cgroup/devices/libvirt/qemu/fedora_12/" class=path path=/dev/null rdev=01:03: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' Eric Blake (3): audit: tweak audit messages to match conventions audit: split cgroup audit types to allow more information audit: also audit cgroup controller path src/libvirt_private.syms | 1 + src/qemu/qemu_audit.c | 115 ++++++++++++++++++++++++++++++++++++++++------ src/qemu/qemu_audit.h | 14 +++++- src/qemu/qemu_cgroup.c | 29 ++++++------ src/qemu/qemu_driver.c | 8 ++-- src/util/cgroup.c | 8 ++-- src/util/cgroup.h | 5 ++ 7 files changed, 142 insertions(+), 38 deletions(-) -- 1.7.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list