[redhat-lspp] userdomain policy question ..

[Janak Desai]

On Tue, 2006-08-08 at 15:53 -0400, Daniel J Walsh wrote:
> Klaus Weidner wrote:
> > On Tue, Aug 08, 2006 at 04:22:54PM -0300, Thiago Jung Bauermann wrote:
> >   
> >> We did one test with the auditallow rule for write and another with the
> >> auditallow rule for setfscreate. The records found in the audit log for
> >> both tests are attached. The difference is that the auditallow rule for
> >> the write operation adds PATH and AVC_PATH audit records, while the
> >> setfscreate rule just generates AVC and SYSCALl records.
> >>     
> >
> > Thanks for testing! The record is fine, the path information isn't needed
> > since the AVC record contains both the PID and the operation type
> > (setfscreate). It's more informative than the write record.
> >
> > Can a loadable policy module add "auditallow" entries like these, or does
> > this need to go into the base policy?
> >   
> They can be in modules.

Yes, we tested this with a small loadable policy module. 

Dan, in your opinion is a loadable module the best way to handle
this? I guess since the existing allow/fscreate line is in 
base_user_template a module can apply the change only for
lspp evaluation system. 

> >   
> >> Both mention the pid and security context of the subject changing the
> >> fscreate file both in the AVC message and in the SYSCALL message, but
> >> none of them displays the new contents of the fscreate file.
> >>
> >> Klaus: do you think the info there is sufficient for LSPP?
> >>     
> >
> > It would be nice to have the new fscreate context in the log, but it's
> > not required by LSPP. (The "additional event details" column doesn't list
> > it, and it's not one of the standard required audit record fields.)
> >
> > -Klaus
> >
> > --
> > redhat-lspp mailing list
> > redhat-lspp at redhat.com
> > https://www.redhat.com/mailman/listinfo/redhat-lspp
> >   
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp