AVC messages
Stephen Smalley
sds at epoch.ncsc.mil
Tue Jan 4 20:28:14 UTC 2005
On Tue, 2005-01-04 at 15:08, Steve Grubb wrote:
> On Tuesday 04 January 2005 14:51, Stephen Smalley wrote:
> > It belongs in an audit log, but you could certainly have multiple audit
> > logs, with one dedicated to SELinux (i.e. MAC) audit messages.
>
> One of the reasons I'm asking is because its not controlable via the audit
> interface. Without any audit rules loaded, you get SE Linux audit messages
> filling up the logs.
>
> If you used laus, for example, does avc messages wind up in the logs?
Keep in mind that when we originally wrote SELinux, there was no kernel
audit framework, so we simply used the existing kernel logging
infrastructure, but we always expected to migrate to using a real audit
subsystem once one became available.
I don't see any real benefit to moving the SELinux policy audit rules
out of the policy and into a separate audit rule database, particularly
as you would have to then duplicate the policy abstractions in your
audit policy. But I don't see why that should prevent you from handling
SELinux audit messages via auditd and directing them to a MAC audit log
file. The kernel logging infrastructure can't really handle the
potential load of SELinux audit, and you don't really want SELinux audit
messages intermingled with other kernel log messages.
LaUS wasn't integrated with SELinux at all.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list