[redhat-lspp] userdomain policy question ..
Thiago Jung Bauermann
bauerman at br.ibm.com
Tue Aug 8 19:22:54 UTC 2006
On Tue, 2006-08-08 at 13:31 -0400, redhat-lspp-bounces at redhat.com wrote:
> On Tue, 2006-08-08 at 12:21 -0500, Klaus Weidner wrote:
> > On Tue, Aug 08, 2006 at 12:52:37PM -0400, Stephen Smalley wrote:
> > > # Audit setting of fscreate attribute.
> > > auditallow domain self:process setfscreate;
> > > or
> > > # Audit writing to all /proc/pid files.
> > > auditallow domain self:file write;
> > This sounds like a good solution, I didn't know that this works. Can
> > someone verify that the audit record contains the LSPP required data
> such
> > as the subject label?
> Thanks Klaus. Thiago and I will verify this.
We did one test with the auditallow rule for write and another with the
auditallow rule for setfscreate. The records found in the audit log for
both tests are attached. The difference is that the auditallow rule for
the write operation adds PATH and AVC_PATH audit records, while the
setfscreate rule just generates AVC and SYSCALl records.
Both mention the pid and security context of the subject changing the
fscreate file both in the AVC message and in the SYSCALL message, but
none of them displays the new contents of the fscreate file.
Klaus: do you think the info there is sufficient for LSPP?
--
Thiago Jung Bauermann
Software Engineer
IBM Linux Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-write.log
Type: text/x-log
Size: 1553 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20060808/fd35d694/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-setfscreate.log
Type: text/x-log
Size: 484 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20060808/fd35d694/attachment-0001.bin>
More information about the redhat-lspp
mailing list