[PATCH 1/2] SELinux Context Label based audit filtering
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 3 15:14:09 UTC 2006
On Fri, 2006-02-03 at 10:12 -0500, Stephen Smalley wrote:
> On Fri, 2006-02-03 at 09:47 -0500, Steve Grubb wrote:
> > On Friday 03 February 2006 09:46, Stephen Smalley wrote:
> > > Ok, so this means that SELinux needs to provide an API for such
> > > comparisons, and likely for precomputing the internal context structure
> > > for a given MLS range provided in an audit rule so that we don't have to
> > > re-do that on each filter evaluation.
> >
> > What if the filter rule was:
> >
> > auditctl -a exit,always -S open -F "se_sensitivity>=confidential"
> >
> > And that is all you have to work with? Are we still OK?
>
> First, you'd need a way to indicate whether you mean the low (also
> referred to as current) level or the high (also referred to as clearance
> or max) level in the above specification, as each security context has
> two levels associated with it (they show up abbreviated as a single
> level if they happen to be the same), a low and a high.
The other missing distinction above is whether you are referring to the
process sensitivity or the sensitivity of one of the objects accessed
during the syscall, e.g. the file context.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list