On 4.6.2020 23.40, Paul Moore wrote:
On Thu, Jun 4, 2020 at 4:30 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
On Tue, Jun 2, 2020 at 10:21 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote:
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4", so let's avoid using
socket.getprotobyname() since the protocol names are not used in
socket context anyway.
Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
Only concern I have here is that it could change the resulting audit
record content. Not sure how the audit people feel about that.
Maybe ask on linux-audit mailing list?
If/when you do, it would be good to show before/after audit records.
However, record formatting is a very tricky issue and it's best to not
change them unless absolutely necessary.
Right, let's not change it.
One solution would be to try to resolve "ipv4" first and if it fails,
try something else. On Fedora "ipv4" resolves to 4. For Debian "IP"
would be 0 and 4 can be found with "ipencap".
The original problem was that the protocol "ipv4" is not accepted by
"semanage node":
# semanage node -a -t internet_node_t -p ipv4 -M /4 208.0.0.0
OSError: protocol not found
This makes me believe that nobody before me had ever used "semanage
node" successfully on Debian. Therefore there shouldn't be compatibility
issues with old audit logs, but I suppose it's better to try to match
the value used by Fedora (4), so "ipencap" would be a better choice or
perhaps simply hardcode the value as 4 if "ipv4" does not resolve.
-Topi