New Audit types
Steve Grubb
sgrubb at redhat.com
Wed Nov 2 20:14:15 UTC 2005
On Wednesday 02 November 2005 14:42, Valdis.Kletnieks at vt.edu wrote:
> Presumably, that should be failed by SELinux or something as a violation
> of the appropriate MLS constraint - a process running at some level allowed
> to run 'cat secret' shouldn't be allowed to write to an unlabeled device.
I think you're missing a subtle point. Assume that the user has the
permissions to read secret and write to an unlabeled media. Assume they have
properly allocated the device and are ready to do something.
Given that, what is the correct action? LSPP says that its an auditable event
- it doesn't say it must be prevented. Should each program that does this be
patched or does a central mechanism in the kernel need to handle this?
-Steve
More information about the Linux-audit
mailing list