[redhat-lspp] Re: [patch] Full relabel audit event
Stephen Smalley
sds at tycho.nsa.gov
Fri May 26 17:05:20 UTC 2006
On Thu, 2006-05-25 at 17:01 -0400, James Antill wrote:
> The attached patch implements the full relabel audit event (Ie. an
> audit event occurs when a full relabel occurs, ie. when /.autorelabel
> exists at boot).
> Note that although the code is correct, this patch doesn't actually
> work due to kernel bugs[1].
>
> It'll be in Fedora development as part of policycoreutils-1.30.10-3
> onwards.
>
> [1] see the thread on linux-audit if you want the details.
Hmmm...what is it that you actually want to do here? If you only care
about auditing autorelabel events, then I'd suggest generating the audit
message from the autorelabel portion of rc.sysinit (via a helper, I
suppose), not from setfiles itself. If you want to audit all full
relabels, then you need to instrument more than setfiles (e.g.
restorecon -R / works just as well), and of course, you potentially need
to do something at the kernel level with audit filters or auditallow
rules in policy if you truly want to capture all relabels. And, of
course, just auditing it when they happen to pass "/" as an argument
isn't very reliable.
Not sure which thread you are referring to; I don't see prior discussion
of a relabel audit event in the linux-audit archives.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list