[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Steve Grubb
sgrubb at redhat.com
Mon Sep 26 19:00:39 UTC 2005
On Thursday 21 July 2005 11:48, Dustin Kirkland wrote:
> The attached patch contains functionality specified by the labeled
> security protection profile--basically appending object context and
> subject context labels to audit records.
Lets use the following audit message number ranges for the next round of
development:
1500 - 1599 kernel LSPP events
1600 - 1699 user space generated LSPP events
1700 - 1799 kernel crypto events
1800 - 1899 user space crypto events
1900 - 1999 future use (maybe integrity labels and related events)
2100 - 2199 user space anomaly records
2200 - 2299 user space actions taken in response to anomalies
I'd also like to suggest that this patch collect 2 kinds of contexts, subject
and object. Subject being the context associated with the caller, object
being whatever system object that is being accessed. There can be more than
one object in the syscall. I'm undecided about whether they should be all in
1 record or each a separate record in the same event. This would mean taking
1500 as subject label and 1501 as object label.
-Steve
More information about the Linux-audit
mailing list