AVC messages

Chad Hanson chanson at TrustedCS.com
Tue Jan 4 21:20:02 UTC 2005


Stephen Smalley wrote:
> But I don't see why that should prevent you 
> from handling
> SELinux audit messages via auditd and directing them to a MAC 
> audit log
> file.  The kernel logging infrastructure can't really handle the
> potential load of SELinux audit, and you don't really want 
> SELinux audit
> messages intermingled with other kernel log messages.
> 

What type of audit log separation are you suggesting?

I would think SELinux AVC messages could logged to separate location.
However, even a failed request because of DAC needs to have complete MAC
information (label/type) of subject and object in the audit record for LSPP.

Does this match up to what you were stating?

-Chad
____________________________
Chad Hanson
Senior Secure Systems Engineer

Trusted Computer Solutions
121 W Goose Alley
Urbana, IL  61801

www.TrustedCS.com

V:  217.384.0028  ext.12
F:  217.384.0288
 
 




More information about the Linux-audit mailing list