[redhat-lspp] SE Linux audit events
Steve Grubb
sgrubb at redhat.com
Tue Nov 8 17:38:03 UTC 2005
On Tuesday 08 November 2005 11:51, Stephen Smalley wrote:
> the questions should be more along the lines of "Does it meet a
> requirement?
Yes, I think any change to a trusted database needs to be recorded.
> Does it provide added value?
Yes, it is more easily recognized for what it is. There is also a lot of extra
information that is not needed being sent. The majority of the syscall
information is not needed.
> Can it already be achieved using existing mechanism?"
Well, we need to have more than AVC's to represent what is going on in the
system. This is a configuration change, why not call it that?
> The other point to keep in mind here is that each kernel change takes
> time to upstream, and the window for upstreaming is short for each
> release. So avoiding unnecessary kernel changes is especially
> desirable.
We have a boatload of changes going upstream, one more doesn't hurt.
-Steve
More information about the redhat-lspp
mailing list