[PATCH 1/2] SELinux Context Label based audit filtering
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 3 14:17:16 UTC 2006
On Thu, 2006-02-02 at 17:18 -0500, Steve Grubb wrote:
> I think we are covered. I mentioned to Dustin that those fields need to be
> handled as integers for comparison. We should be able to specify a range for
> matching like:
>
> -F "se_sensitivity>=2" -F "se_sensitivity<=9"
This requires that SELinux perform the filter interpretation, as the
context structures and dominance relation are purely internal to it, and
the audit system should not be directly tied to them.
> Is there a convention for context parsing? If not, we should probably decide
> what it will be or at least how to identify the end of what we know so that
> if they get out of sync in the future, it would do the wrong thing.
The "convention" is that only the SELinux module and the core SELinux
libraries parse them. Everything else has to use an API provided by the
SELinux module (for in-kernel users) or the core SELinux libraries (for
userland).
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list