[redhat-lspp] userdomain policy question ..
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 8 19:53:24 UTC 2006
Klaus Weidner wrote:
> On Tue, Aug 08, 2006 at 04:22:54PM -0300, Thiago Jung Bauermann wrote:
>
>> We did one test with the auditallow rule for write and another with the
>> auditallow rule for setfscreate. The records found in the audit log for
>> both tests are attached. The difference is that the auditallow rule for
>> the write operation adds PATH and AVC_PATH audit records, while the
>> setfscreate rule just generates AVC and SYSCALl records.
>>
>
> Thanks for testing! The record is fine, the path information isn't needed
> since the AVC record contains both the PID and the operation type
> (setfscreate). It's more informative than the write record.
>
> Can a loadable policy module add "auditallow" entries like these, or does
> this need to go into the base policy?
>
They can be in modules.
>
>> Both mention the pid and security context of the subject changing the
>> fscreate file both in the AVC message and in the SYSCALL message, but
>> none of them displays the new contents of the fscreate file.
>>
>> Klaus: do you think the info there is sufficient for LSPP?
>>
>
> It would be nice to have the new fscreate context in the log, but it's
> not required by LSPP. (The "additional event details" column doesn't list
> it, and it's not one of the standard required audit record fields.)
>
> -Klaus
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
More information about the redhat-lspp
mailing list