[PATCH] support for context based audit filtering
Darrel Goeddel
dgoeddel at trustedcs.com
Fri Mar 10 23:22:01 UTC 2006
Amy Griffis wrote:
> On Fri, Mar 10, 2006 at 02:52:51PM -0600, Darrel Goeddel wrote:
>
>>I like 'em. Here is a new patch that incorporates them. It also
>>moves the initialization call to selinux into the audit_init
>>function as you had suggested earlier. Look right?
>
>
> You may want to audit_log a message indicating that the audit rules
> were updated due to policy reload. And in the case when you remove a
> rule because you couldn't update it, you might want to log that too.
We really aren't updating (or removing) the rule. We are only updating
an implementation specific piece of information relating to the rule.
If a rule references the type badapp_t, it will always reference that
type. The hidden selinux cache of information may change, but the
"spirit of the rule" is always the same. So my opinion is that noting
the update is unnecessary (syslog was a compromise from earlier...).
The removal case is handled by audit_panic because it indicates an real
failure in the audit internals somewhere.
--
Darrel
More information about the Linux-audit
mailing list