[Snare-devel] Re: SELinux, LSM, SNARE ...

[M. Fecina]

Thanks, Stephen.

That clears up a lot of the misconceptions I had.
I'll check David's postings to see where patches
can be found for the 2.6 audit framework, and then
I'll download the auditd from Redhat rawhide.

M. Fecina
Stephen Smalley wrote:
> On Fri, 2005-02-11 at 13:23, M. Fecina wrote:
> 
>>However, with all of the patches and progress being made
>>on SELinux, I'm wondering what the comparison is between
>>SNARE and SELinux.  I know SELinux is built-in to the 2.6
>>kernel tree, and in conjunction with some userspace daemons (auditd),
>>it can provide audit trails.
> 
> 
> Wrong question.  You want to compare SNARE with the mainline 2.6 audit
> framework, not SNARE vs. SELinux.
> 
> SELinux provides mandatory access controls, not audit.  It happens to
> include configurable support for generating audit messages of MAC
> permission checks, but does not provide an audit subsystem itself. 
> Originally SELinux just passed its audit messages to klogd via printk
> since there was no audit subsystem in the mainline kernel, but after an
> audit framework was added to 2.6, SELinux was modified to pass its audit
> messages to the audit framework, which in turn will either pass them
> along to klogd (if no auditd is registered) or to auditd.
> 
> Work is ongoing to make the kernel audit framework sufficient to meet
> CAPP requirements, as you have no doubt seen from the messages on this
> list.  When it gets to that point, the SNARE userspace should IMHO be
> ported to use the kernel audit framework rather than their own kernel
> patches (which were unsafe to begin with).
> 
> Fedora rawhide should contain the latest auditd.  For the kernel, David
> Woodhouse has been building kernels that include the kernel patches -
> see his postings.
> 

-- 
Michael D. Fecina
Research Assistant
Applied Research Laboratory
Pennsylvania State University
814.863.5248