[PATCH 0/2] SELinux Context Label based audit filtering
Dustin Kirkland
dustin.kirkland at us.ibm.com
Thu Feb 2 19:38:22 UTC 2006
The following two patches provide filtering of audit messages based on
any element of an SELinux context label (user, role, type, category,
sensitivity). The first patch provides the kernel enhancements and the
second patch provides user space enhancements.
This functionality is required for certification by RBAC FAU_SEL.1.1(b)
(Selective Audit), pasted here for reference:
FAU_SEL.1 Selective Audit
FAU_SEL.1.1 The TSF shall be able to include or exclude auditable events
from the set of audited events based on the following attributes:
(a) Object identity, user identity, subject identity, host identity, and
event type
(b) Users belonging to a specified Role and Access types (e.g. delete,
insert) on a particular object
The LSPP/RBACPP certification efforts have taken SELinux roles to
sufficiently satisfy RBAC's dependencies on role labels. An SELinux
label, however, contains additional object classifying elements. Only
incremental effort beyond my original work to add role-based audit
message filtering resulted in the ability for administrators to filter
based on any part of the SELinux label. I expect that functionality to
generally useful and probably expected by users who would have the
ability to filter on roles.
Additionally, I extended my previous work on audit comparators support
to apply to strings, such that label elements may be compared with (=, !
=, >=, <=, >, <). Although supported, the fact that "user_u">"root" is
less useful, than, say "s1"<"s3". Simply the fact that such comparators
are supported should reduce the complexity of some esoteric ranges
various users of audit might require.
These patches make use of the new audit_rule_data structure put forth by
Amy Griffis, which I have been testing extensively during my
development. Her patches are required in order to pass arbitrary length
strings as part of the audit rules to and from the kernel. My patches
depend on two patches she posted on this list (linux-audit at redhat.com),
and are identified in the following two messages.
:-Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060202/1ed0dfa9/attachment.sig>
More information about the Linux-audit
mailing list