Bug 1287745

Summary: RFE: Add more fields to use composing audit rules to the exclude filter
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: kernelAssignee: Paul Moore <pmoore>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab, rbriggs, ryoung1
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-02 19:43:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Grubb 2015-12-02 15:13:00 UTC
Description of problem:
The exclude filter was created a long time ago to filter out SE Linux AVC's to meet the Common Criteria profile for CAPP. Currently the only field that can be used for filtering is the msgtype field. There are times when an admin may want to exclude events coming from user space or syscall events using uid, auid, session id, or even selinux types.

The lowest common denominator is the credentials that come from netlink during user space originating events. It might be possible to combine the filters for user and exclude which would give a little more flexibility in writing rules for the exclude filter. The only issue is the semantics are different between them. The user filter passes selected events where the exclude deletes selected events.

Comment 1 Paul Moore 2016-04-06 23:28:55 UTC
Upstream issue:

 * https://github.com/linux-audit/audit-kernel/issues/5

Comment 2 Paul Moore 2016-06-02 19:43:34 UTC
Closing this as we are tracking upstream RFEs on GitHub now, see link on comment #1.