SELinux, LSM, SNARE ...
Stephen Smalley
sds at epoch.ncsc.mil
Fri Feb 11 19:20:22 UTC 2005
On Fri, 2005-02-11 at 13:23, M. Fecina wrote:
> However, with all of the patches and progress being made
> on SELinux, I'm wondering what the comparison is between
> SNARE and SELinux. I know SELinux is built-in to the 2.6
> kernel tree, and in conjunction with some userspace daemons (auditd),
> it can provide audit trails.
Wrong question. You want to compare SNARE with the mainline 2.6 audit
framework, not SNARE vs. SELinux.
SELinux provides mandatory access controls, not audit. It happens to
include configurable support for generating audit messages of MAC
permission checks, but does not provide an audit subsystem itself.
Originally SELinux just passed its audit messages to klogd via printk
since there was no audit subsystem in the mainline kernel, but after an
audit framework was added to 2.6, SELinux was modified to pass its audit
messages to the audit framework, which in turn will either pass them
along to klogd (if no auditd is registered) or to auditd.
Work is ongoing to make the kernel audit framework sufficient to meet
CAPP requirements, as you have no doubt seen from the messages on this
list. When it gets to that point, the SNARE userspace should IMHO be
ported to use the kernel audit framework rather than their own kernel
patches (which were unsafe to begin with).
Fedora rawhide should contain the latest auditd. For the kernel, David
Woodhouse has been building kernels that include the kernel patches -
see his postings.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list