AVC messages
Chad Hanson
chanson at TrustedCS.com
Tue Jan 4 21:20:02 UTC 2005
Stephen Smalley wrote:
> But I don't see why that should prevent you
> from handling
> SELinux audit messages via auditd and directing them to a MAC
> audit log
> file. The kernel logging infrastructure can't really handle the
> potential load of SELinux audit, and you don't really want
> SELinux audit
> messages intermingled with other kernel log messages.
>
What type of audit log separation are you suggesting?
I would think SELinux AVC messages could logged to separate location.
However, even a failed request because of DAC needs to have complete MAC
information (label/type) of subject and object in the audit record for LSPP.
Does this match up to what you were stating?
-Chad
____________________________
Chad Hanson
Senior Secure Systems Engineer
Trusted Computer Solutions
121 W Goose Alley
Urbana, IL 61801
www.TrustedCS.com
V: 217.384.0028 ext.12
F: 217.384.0288
More information about the Linux-audit
mailing list