[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] context based audit filtering (take 3)



On Tue, 2006-02-21 at 17:59 -0600, Darrel Goeddel wrote:
> The updated version of Dustin's patch I referred to is below.  The changes are
> are follows:
>
> - printk a warning and ignore invalid selinux rules (but still hang on to them
>   so they may be activated with a later policy reload).

Should this be a printk or an audit_log call?

> @@ -370,6 +410,14 @@ static int audit_compare_rule(struct aud
>  			if (audit_compare_watch(a->watch, b->watch))
>  				return 1;
>  			break;
> +		case AUDIT_SE_USER:
> +		case AUDIT_SE_ROLE:
> +		case AUDIT_SE_TYPE:
> +		case AUDIT_SE_SEN:
> +		case AUDIT_SE_CLR:
> +			if (strcmp(a->fields[i].se_str, b->fields[i].se_str))
> +				return 1;
> +			break;

Do you want to catch aliases here?  If so, you need to have SELinux look
up the strings and compare the actual values.  But possibly that isn't
critical for the purposes of just preventing duplicate filters.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]