[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 1/2] SELinux Context Label based audit filtering



On Fri, 2006-02-03 at 09:46 -0500, Stephen Smalley wrote:
> On Fri, 2006-02-03 at 09:27 -0500, Steve Grubb wrote:
> > On Friday 03 February 2006 09:17, Stephen Smalley wrote:
> > > > -F "se_sensitivity>=2" -F "se_sensitivity<=9"
> > >
> > > This requires that SELinux perform the filter interpretation, as the
> > > context structures and dominance relation are purely internal to it, and
> > > the audit system should not be directly tied to them.
> > 
> > The plan was to call SE linux libraries to interpret custom text (public) to 
> > sensitivity and send the raw sensitivity (s0).
> 
> Right, libsetrans.  But that still leaves you with a string that has no
> inherent meaning or ordering.

This is begging for placement in a configuration file that allows custom
defined aliases:
"s0" = "non_confidential"
"s1" = "secret"
"s2" = "mostly_secret"
"s3" = "more_secret_than_that"
"s4" = "top_secret"
"s5" = "cheating_on_a_spouse_secret"


Let those be set in either an SELinux config file, or in an Audit config
file.  Let audit userspace interpret these human readable aliases to
SELinux's representation.

:-Dustin

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]