On Thursday 10 August 2006 11:56, Daniel J Walsh wrote: > If this is an MLS requirement we can put it in the MLS Policy. Still > waiting to hear sgrubb opinion since he is not crazy about auditallow rules.
Right, this is because you get this record whether you want it or not. I think adding it to policy like this means the selective audit requirement is disregarded. Part of the problem is that SE Linux has just 2 audit record types, AVC and SELINUX_ERR. So your choice for selective audit is to lose all AVC's or get all AVC's. If auditallow produced a different kind of record type (AVC_ALLOW for example), an admin is more likely to be able to filter it out if they do not want it. I looked around the attr directory and all the files have the same type. So its hard to use the audit system to audit by type to pickout the file. -Steve -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
