[redhat-lspp] security context in audit records (audit.39 kernel)
Stephen Smalley
sds at tycho.nsa.gov
Wed May 18 19:34:32 UTC 2005
On Wed, 2005-05-18 at 14:26 -0500, Daniel H. Jones wrote:
> Right. I did that because audit_ipc_perms only seems to care about
> IPC_SET. I questioned it as well at the time and the answer I received
> is that this is the only interesting operation from a CAPP audit point
> of view because it is the operation that affects the security attributes
> of the object. LSPP merely extends that requirement to include the
> security context in the audit records.
Hmm...well, SELinux will generate an avc audit message with the IPC
object's security context if there is a MAC denial on the IPC operation,
but I had thought that you would want the context included in any other
audit messages on the IPC object, including DAC denials. You could
cover a lot of the cases by hooking ipcperms(), prior to the DAC check,
to save the IPC object security context, but not all of them (e.g.
ownership-based tests are scattered throughout the IPC code).
BTW, you have a spurious len++ in audit_ipc_security_context.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list