diff mbox

semanage: correct fcontext auditing

Message ID 1471010236-27524-1-git-send-email-mvadkert@redhat.com (mailing list archive)
State Not Applicable
Headers show

Commit Message

Miroslav Vadkerti Aug. 12, 2016, 1:57 p.m. UTC 
For modify action actually audit the selinux type, i.e. use setype
variable.

For deleting equal fcontext rules do not audit ftype, as the ftype value
for equal rules makes little sense.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
 policycoreutils/semanage/seobject.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Dac Override Aug. 12, 2016, 2:22 p.m. UTC | #1 
On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
> For modify action actually audit the selinux type, i.e. use setype
> variable.
> 
> For deleting equal fcontext rules do not audit ftype, as the ftype value
> for equal rules makes little sense.
> 
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> ---
>  policycoreutils/semanage/seobject.py | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 786ed0e..8d3088c 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -1992,7 +1992,7 @@ class fcontextRecords(semanageRecords):
>          if not seuser:
>              seuser = "system_u"

system_u is reference policy specific. this is selinux user space not
reference policy user space.

>  
> -        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange))
>  
>      def modify(self, target, setype, ftype, serange, seuser):
>          self.begin()
> @@ -2030,7 +2030,7 @@ class fcontextRecords(semanageRecords):
>              self.equiv.pop(target)
>              self.equal_ind = True
>  
> -            self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +            self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0)))
>  
>              return
>  
>
Stephen Smalley Aug. 12, 2016, 2:58 p.m. UTC | #2 
On 08/12/2016 10:22 AM, Dominick Grift wrote:
> On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
>> For modify action actually audit the selinux type, i.e. use
>> setype variable.
>> 
>> For deleting equal fcontext rules do not audit ftype, as the
>> ftype value for equal rules makes little sense.
>> 
>> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com> --- 
>> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2
>> insertions(+), 2 deletions(-)
>> 
>> diff --git a/policycoreutils/semanage/seobject.py
>> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
>> 100644 --- a/policycoreutils/semanage/seobject.py +++
>> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
>> class fcontextRecords(semanageRecords): if not seuser: seuser =
>> "system_u"
> 
> system_u is reference policy specific. this is selinux user space
> not reference policy user space.

Yes, that's pre-existing though (not added by this patch), and
unfortunately pervasive throughout seobject.py.

I guess we'll need to decide how to provide this information so that
it doesn't have to be hardcoded in seobject.py, e.g. yet another
policy configuration file with default values for each security
context field?

> 
>> 
>> -        self.mylog.log_change("resrc=fcontext op=modify %s
>> ftype=%s tcontext=%s:%s:%s:%s" %
>> (audit.audit_encode_nv_string("tglob", target, 0),
>> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
>> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
>> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
>> serange))
>> 
>> def modify(self, target, setype, ftype, serange, seuser): 
>> self.begin() @@ -2030,7 +2030,7 @@ class
>> fcontextRecords(semanageRecords): self.equiv.pop(target) 
>> self.equal_ind = True
>> 
>> -            self.mylog.log_change("resrc=fcontext
>> op=delete-equal %s ftype=%s" %
>> (audit.audit_encode_nv_string("tglob", target, 0),
>> ftype_to_audit[ftype])) +
>> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
>> (audit.audit_encode_nv_string("tglob", target, 0)))
>> 
>> return
>> 
>> 
> 
> 
> 
> 
> _______________________________________________ Selinux mailing
> list Selinux@tycho.nsa.gov To unsubscribe, send email to
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
> "help" to Selinux-request@tycho.nsa.gov.
>
Dac Override Aug. 12, 2016, 3 p.m. UTC | #3 
On 08/12/2016 04:58 PM, Stephen Smalley wrote:
> On 08/12/2016 10:22 AM, Dominick Grift wrote:
>> On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
>>> For modify action actually audit the selinux type, i.e. use
>>> setype variable.
>>>
>>> For deleting equal fcontext rules do not audit ftype, as the
>>> ftype value for equal rules makes little sense.
>>>
>>> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com> --- 
>>> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2
>>> insertions(+), 2 deletions(-)
>>>
>>> diff --git a/policycoreutils/semanage/seobject.py
>>> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
>>> 100644 --- a/policycoreutils/semanage/seobject.py +++
>>> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
>>> class fcontextRecords(semanageRecords): if not seuser: seuser =
>>> "system_u"
>>
>> system_u is reference policy specific. this is selinux user space
>> not reference policy user space.
> 
> Yes, that's pre-existing though (not added by this patch), and
> unfortunately pervasive throughout seobject.py.
> 
> I guess we'll need to decide how to provide this information so that
> it doesn't have to be hardcoded in seobject.py, e.g. yet another
> policy configuration file with default values for each security
> context field?

I would not mind that if that is the best approach.

Those object_r occurrences raise another question. Should we be
"supporting" defaultrole source (RBACSEP) or not (i suppose we should)

> 
>>
>>>
>>> -        self.mylog.log_change("resrc=fcontext op=modify %s
>>> ftype=%s tcontext=%s:%s:%s:%s" %
>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>>> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
>>> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
>>> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
>>> serange))
>>>
>>> def modify(self, target, setype, ftype, serange, seuser): 
>>> self.begin() @@ -2030,7 +2030,7 @@ class
>>> fcontextRecords(semanageRecords): self.equiv.pop(target) 
>>> self.equal_ind = True
>>>
>>> -            self.mylog.log_change("resrc=fcontext
>>> op=delete-equal %s ftype=%s" %
>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>> ftype_to_audit[ftype])) +
>>> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
>>> (audit.audit_encode_nv_string("tglob", target, 0)))
>>>
>>> return
>>>
>>>
>>
>>
>>
>>
>> _______________________________________________ Selinux mailing
>> list Selinux@tycho.nsa.gov To unsubscribe, send email to
>> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
>> "help" to Selinux-request@tycho.nsa.gov.
>>
>
Miroslav Vadkerti Aug. 15, 2016, 6:33 a.m. UTC | #4 
On Fri, Aug 12, 2016 at 4:58 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On 08/12/2016 10:22 AM, Dominick Grift wrote:
> > On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
> >> For modify action actually audit the selinux type, i.e. use
> >> setype variable.
> >>
> >> For deleting equal fcontext rules do not audit ftype, as the
> >> ftype value for equal rules makes little sense.
> >>
> >> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com> ---
> >> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2
> >> insertions(+), 2 deletions(-)
> >>
> >> diff --git a/policycoreutils/semanage/seobject.py
> >> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
> >> 100644 --- a/policycoreutils/semanage/seobject.py +++
> >> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
> >> class fcontextRecords(semanageRecords): if not seuser: seuser =
> >> "system_u"
> >
> > system_u is reference policy specific. this is selinux user space
> > not reference policy user space.
>
> Yes, that's pre-existing though (not added by this patch), and
> unfortunately pervasive throughout seobject.py.
>
> I guess we'll need to decide how to provide this information so that
> it doesn't have to be hardcoded in seobject.py, e.g. yet another
> policy configuration file with default values for each security
> context field?
>

​The same issue might apply for serange, which also
can be an empty string and thus gets audited badly
if not some default value.


>
> >
> >>
> >> -        self.mylog.log_change("resrc=fcontext op=modify %s
> >> ftype=%s tcontext=%s:%s:%s:%s" %
> >> (audit.audit_encode_nv_string("tglob", target, 0),
> >> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> >> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
> >> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
> >> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
> >> serange))
> >>
> >> def modify(self, target, setype, ftype, serange, seuser):
> >> self.begin() @@ -2030,7 +2030,7 @@ class
> >> fcontextRecords(semanageRecords): self.equiv.pop(target)
> >> self.equal_ind = True
> >>
> >> -            self.mylog.log_change("resrc=fcontext
> >> op=delete-equal %s ftype=%s" %
> >> (audit.audit_encode_nv_string("tglob", target, 0),
> >> ftype_to_audit[ftype])) +
> >> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
> >> (audit.audit_encode_nv_string("tglob", target, 0)))
> >>
> >> return
> >>
> >>
> >
> >
> >
> >
> > _______________________________________________ Selinux mailing
> > list Selinux@tycho.nsa.gov To unsubscribe, send email to
> > Selinux-leave@tycho.nsa.gov. To get help, send an email containing
> > "help" to Selinux-request@tycho.nsa.gov.
> >
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
Miroslav Vadkerti Aug. 15, 2016, 8:55 a.m. UTC | #5 
Anyway, could we have this patch applied and sort out a better way
of supplying defaults later please?

Thanks,
/M

On Mon, Aug 15, 2016 at 8:33 AM, Miroslav Vadkerti <mvadkert@redhat.com>
wrote:

> On Fri, Aug 12, 2016 at 4:58 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
>
>> On 08/12/2016 10:22 AM, Dominick Grift wrote:
>> > On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
>> >> For modify action actually audit the selinux type, i.e. use
>> >> setype variable.
>> >>
>> >> For deleting equal fcontext rules do not audit ftype, as the
>> >> ftype value for equal rules makes little sense.
>> >>
>> >> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com> ---
>> >> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2
>> >> insertions(+), 2 deletions(-)
>> >>
>> >> diff --git a/policycoreutils/semanage/seobject.py
>> >> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
>> >> 100644 --- a/policycoreutils/semanage/seobject.py +++
>> >> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
>> >> class fcontextRecords(semanageRecords): if not seuser: seuser =
>> >> "system_u"
>> >
>> > system_u is reference policy specific. this is selinux user space
>> > not reference policy user space.
>>
>> Yes, that's pre-existing though (not added by this patch), and
>> unfortunately pervasive throughout seobject.py.
>>
>> I guess we'll need to decide how to provide this information so that
>> it doesn't have to be hardcoded in seobject.py, e.g. yet another
>> policy configuration file with default values for each security
>> context field?
>>
>
> ​The same issue might apply for serange, which also
> can be an empty string and thus gets audited badly
> if not some default value.
>
>
>>
>> >
>> >>
>> >> -        self.mylog.log_change("resrc=fcontext op=modify %s
>> >> ftype=%s tcontext=%s:%s:%s:%s" %
>> >> (audit.audit_encode_nv_string("tglob", target, 0),
>> >> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>> >> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
>> >> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
>> >> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
>> >> serange))
>> >>
>> >> def modify(self, target, setype, ftype, serange, seuser):
>> >> self.begin() @@ -2030,7 +2030,7 @@ class
>> >> fcontextRecords(semanageRecords): self.equiv.pop(target)
>> >> self.equal_ind = True
>> >>
>> >> -            self.mylog.log_change("resrc=fcontext
>> >> op=delete-equal %s ftype=%s" %
>> >> (audit.audit_encode_nv_string("tglob", target, 0),
>> >> ftype_to_audit[ftype])) +
>> >> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
>> >> (audit.audit_encode_nv_string("tglob", target, 0)))
>> >>
>> >> return
>> >>
>> >>
>> >
>> >
>> >
>> >
>> > _______________________________________________ Selinux mailing
>> > list Selinux@tycho.nsa.gov To unsubscribe, send email to
>> > Selinux-leave@tycho.nsa.gov. To get help, send an email containing
>> > "help" to Selinux-request@tycho.nsa.gov.
>> >
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>
>
>
> --
> Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE Security
> IRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087
> Desk Phone +420 532 294 129 :: Mobile +420 773 944 252
> Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
>
>
Dac Override Aug. 15, 2016, 9:16 a.m. UTC | #6 
On 08/15/2016 10:55 AM, Miroslav Vadkerti wrote:
> Anyway, could we have this patch applied and sort out a better way
> of supplying defaults later please?
> 

I hope you do realize that this also affects your customers by
essentially forcing them to use your identifiers. with these MLS
identifiers that is not a big deal but with system_u it is a bigger deal
because now your customers will have to work around this if they wish to
take advantage of CIL and its namespace features by namespacing selinux
user identities.

> Thanks,
> /M
> 
> On Mon, Aug 15, 2016 at 8:33 AM, Miroslav Vadkerti <mvadkert@redhat.com>
> wrote:
> 
>> On Fri, Aug 12, 2016 at 4:58 PM, Stephen Smalley <sds@tycho.nsa.gov>
>> wrote:
>>
>>> On 08/12/2016 10:22 AM, Dominick Grift wrote:
>>>> On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
>>>>> For modify action actually audit the selinux type, i.e. use
>>>>> setype variable.
>>>>>
>>>>> For deleting equal fcontext rules do not audit ftype, as the
>>>>> ftype value for equal rules makes little sense.
>>>>>
>>>>> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com> ---
>>>>> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2
>>>>> insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/policycoreutils/semanage/seobject.py
>>>>> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
>>>>> 100644 --- a/policycoreutils/semanage/seobject.py +++
>>>>> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
>>>>> class fcontextRecords(semanageRecords): if not seuser: seuser =
>>>>> "system_u"
>>>>
>>>> system_u is reference policy specific. this is selinux user space
>>>> not reference policy user space.
>>>
>>> Yes, that's pre-existing though (not added by this patch), and
>>> unfortunately pervasive throughout seobject.py.
>>>
>>> I guess we'll need to decide how to provide this information so that
>>> it doesn't have to be hardcoded in seobject.py, e.g. yet another
>>> policy configuration file with default values for each security
>>> context field?
>>>
>>
>> ​The same issue might apply for serange, which also
>> can be an empty string and thus gets audited badly
>> if not some default value.
>>
>>
>>>
>>>>
>>>>>
>>>>> -        self.mylog.log_change("resrc=fcontext op=modify %s
>>>>> ftype=%s tcontext=%s:%s:%s:%s" %
>>>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>>>> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>>>>> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
>>>>> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
>>>>> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
>>>>> serange))
>>>>>
>>>>> def modify(self, target, setype, ftype, serange, seuser):
>>>>> self.begin() @@ -2030,7 +2030,7 @@ class
>>>>> fcontextRecords(semanageRecords): self.equiv.pop(target)
>>>>> self.equal_ind = True
>>>>>
>>>>> -            self.mylog.log_change("resrc=fcontext
>>>>> op=delete-equal %s ftype=%s" %
>>>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>>>> ftype_to_audit[ftype])) +
>>>>> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
>>>>> (audit.audit_encode_nv_string("tglob", target, 0)))
>>>>>
>>>>> return
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________ Selinux mailing
>>>> list Selinux@tycho.nsa.gov To unsubscribe, send email to
>>>> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
>>>> "help" to Selinux-request@tycho.nsa.gov.
>>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>
>>
>>
>> --
>> Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE Security
>> IRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087
>> Desk Phone +420 532 294 129 :: Mobile +420 773 944 252
>> Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
>>
>>
> 
>
James Carter Aug. 15, 2016, 6:29 p.m. UTC | #7 
On 08/12/2016 09:57 AM, Miroslav Vadkerti wrote:
> For modify action actually audit the selinux type, i.e. use setype
> variable.
>
> For deleting equal fcontext rules do not audit ftype, as the ftype value
> for equal rules makes little sense.
>
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>

Applied.

Thanks,
Jim

> ---
>  policycoreutils/semanage/seobject.py | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 786ed0e..8d3088c 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -1992,7 +1992,7 @@ class fcontextRecords(semanageRecords):
>          if not seuser:
>              seuser = "system_u"
>
> -        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange))
>
>      def modify(self, target, setype, ftype, serange, seuser):
>          self.begin()
> @@ -2030,7 +2030,7 @@ class fcontextRecords(semanageRecords):
>              self.equiv.pop(target)
>              self.equal_ind = True
>
> -            self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +            self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0)))
>
>              return
>
>
diff mbox

Patch

diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 786ed0e..8d3088c 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -1992,7 +1992,7 @@  class fcontextRecords(semanageRecords):
         if not seuser:
             seuser = "system_u"
 
-        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange))
 
     def modify(self, target, setype, ftype, serange, seuser):
         self.begin()
@@ -2030,7 +2030,7 @@  class fcontextRecords(semanageRecords):
             self.equiv.pop(target)
             self.equal_ind = True
 
-            self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+            self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0)))
 
             return