[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: AVC messages



On Tue, 2005-01-04 at 16:20, Chad Hanson wrote:
> What type of audit log separation are you suggesting?

First and foremost, just separating the SELinux audit messages from
other kernel log messages, i.e. don't send them to syslogd and don't put
them in /var/log/messages.  Then, if desired, separate them from DAC
audit messages.

> I would think SELinux AVC messages could logged to separate location.
> However, even a failed request because of DAC needs to have complete MAC
> information (label/type) of subject and object in the audit record for LSPP.

That will require a callback by the kernel audit framework into the
security module to get the supplementary information (e.g. the security
contexts) for inclusion in the DAC audit record, as the kernel audit
framework has no direct knowledge of security contexts.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]