[PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting
Lenny Bruzenak
lenny at magitekltd.com
Tue Nov 22 18:53:05 UTC 2016
On 11/22/2016 08:55 AM, Stephen Smalley wrote:
>> >OK. We can move the point where res=1 is set. But I would think that its a
>> >requirement to have an audit record that states that policy failed to load.
>> >FMT_MSA.3 Static Attribute Initialization. Auditable events: All modifications
>> >of the initial value of security attributes. I would think this means changes
>> >such as booleans, modifying labels, loading a new policy, or failure to load a
>> >policy.
> Failure to load a policy is not a modification to the initial value of
> the security attribute, is it?
>
It is definitely relevant, if it falls under another category.
Either a failed malicious intent or a failed supervisory function.
LCB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161122/213a45ad/attachment.htm>
More information about the Linux-audit
mailing list