[redhat-lspp] Re: New Audit types

[Chad Hanson]

> 
> I think you're missing a subtle point. Assume that the user has the 
> permissions to read secret and write to an unlabeled media. Assume they
have 
> properly allocated the device and are ready to do something.
> 
> Given that, what is the correct action? LSPP says that its an auditable
event 
> - it doesn't say it must be prevented. Should each program that does this
be 
> patched or does a central mechanism in the kernel need to handle this?

I believe this should be covered by the existing syscall auditing such as
open and others. The LSPP doesn't state the auditing of the export has to be
any different than other fs auditing, just that it has to occur IMHO. The
additional requirement is the device allocation auditing requirements. An
audit analyst should *hopefully* be able to correlate what has been exported
given these events. 

-Chad