[redhat-lspp] RBAC Roles
Stephen Smalley
sds at tycho.nsa.gov
Fri Sep 23 17:08:08 UTC 2005
On Fri, 2005-09-23 at 06:26 -0400, Steve Grubb wrote:
> I think we need to do 3 things: 1) have auditctl convert from human readable
> to the binary internal format for SE Linux, 2) from kernel/audit.c call a
> hook inside security/selinux/ to a new function that takes the 1 line audit
> rule and places it in the right place without reloading policy (this is only
> to generate or suppress messages based on subject or object labels or roles)
> 3) create an interface where SE Linux passes arguments instead of text to the
> audit system for further filtering. The audit system then calls
> log_start/log_format/log_end to generate the message.
>
> The audit system cannot touch MAC rules at all. Just the messaging that may
> result from the evaluation of access requests. This is required to meet both
> RBAC and LSPP.
Hi,
I think that this is not only not "required", but unreasonable in the
time frame in which we are working.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list