Another dumb question...
Russell Coker
russell at coker.com.au
Sat Apr 10 06:18:40 UTC 2004
On Mon, 5 Apr 2004 22:51, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> identity using that audit framework rather than SELinux. Also, the
> existing SELinux auditing of permission checks could be configured to
> audit all transitions to and from the su domains, such that the SELinux
> user identity transitions would be logged as they occur, e.g. adding
> something like 'auditallow $1_t $1_su_t:process transition; auditallow
> $1_su_t userdomain:process transition;' to
> policy/macros/program/su_macros.te (caveat: untested).
The problem with this is that you need to analyse a lot of log data to get the
result.
Someone could run su days or weeks before performing an action that is
undesirable.
The audit framework can be used instead, it's just another thing that we have
to learn and support in our log file analysis programs.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list