On Thu, 2006-09-14 at 09:55 -0500, Michael C Thompson wrote: > Hey Steve, > > on semodule -r module, the audit message you get (MAC_POLICY_LOAD) has > the exact same message as the audit message you get on semodule -i > module. That is, "policy loaded". Shouldn't there be a different between > module load and module unload?
>From the kernel's POV, they are both a policy load. The modular insertion/removal is done in userspace and a new kernel policy is generated and then loaded. So if you want that granularity of audit, you need it to be done in semodule or better in libsemanage (and ultimately in the policy management server when that is deployed). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
