[PATCH 1/2] SELinux Context Label based audit filtering
Steve Grubb
sgrubb at redhat.com
Fri Feb 3 14:27:39 UTC 2006
On Friday 03 February 2006 09:17, Stephen Smalley wrote:
> > -F "se_sensitivity>=2" -F "se_sensitivity<=9"
>
> This requires that SELinux perform the filter interpretation, as the
> context structures and dominance relation are purely internal to it, and
> the audit system should not be directly tied to them.
The plan was to call SE linux libraries to interpret custom text (public) to
sensitivity and send the raw sensitivity (s0). As for dominance
calculations...we aren't granting access. If someone say they want s2 and
above, we should be able to see that s3 is greater than s2 and generate an
audit record. If you have an api for comparing s3 and s2, let us know and
we'll use it.
> The "convention" is that only the SELinux module and the core SELinux
> libraries parse them. Everything else has to use an API provided by the
> SELinux module (for in-kernel users) or the core SELinux libraries (for
> userland).
I suppose you are right. I should have mentioned that we have no interest in
parsing the full context. User space was going to take the context parsed by
humans as separate fields. This way it is extensible. If a new extension is
added in the future, we add a new field.
In kernel, Dustin was going to use your api to take sid to individual
components. For string we only need = and !=. For levels and sensitivity, we
were going to need to do a comparison since people could desire auditing
secret and above, but let everything else go.
-Steve
More information about the Linux-audit
mailing list