Janak Desai wrote:
On Tue, 2006-08-08 at 15:53 -0400, Daniel J Walsh wrote:
Klaus Weidner wrote:
On Tue, Aug 08, 2006 at 04:22:54PM -0300, Thiago Jung Bauermann wrote:
We did one test with the auditallow rule for write and another with the
auditallow rule for setfscreate. The records found in the audit log for
both tests are attached. The difference is that the auditallow rule for
the write operation adds PATH and AVC_PATH audit records, while the
setfscreate rule just generates AVC and SYSCALl records.
Thanks for testing! The record is fine, the path information isn't needed
since the AVC record contains both the PID and the operation type
(setfscreate). It's more informative than the write record.
Can a loadable policy module add "auditallow" entries like these, or does
this need to go into the base policy?
They can be in modules.
Yes, we tested this with a small loadable policy module.
Dan, in your opinion is a loadable module the best way to handle
this? I guess since the existing allow/fscreate line is in
base_user_template a module can apply the change only for
lspp evaluation system.
If this is an MLS requirement we can put it in the MLS Policy. Still
waiting to hear sgrubb
opinion since he is not crazy about auditallow rules. And he is in
Orlando this week.
Both mention the pid and security context of the subject changing the
fscreate file both in the AVC message and in the SYSCALL message, but
none of them displays the new contents of the fscreate file.
Klaus: do you think the info there is sufficient for LSPP?
It would be nice to have the new fscreate context in the log, but it's
not required by LSPP. (The "additional event details" column doesn't list
it, and it's not one of the standard required audit record fields.)
-Klaus
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
