[PATCH] context based audit filtering (take 3)
Stephen Smalley
sds at tycho.nsa.gov
Wed Feb 22 14:58:52 UTC 2006
On Tue, 2006-02-21 at 17:59 -0600, Darrel Goeddel wrote:
> The updated version of Dustin's patch I referred to is below. The changes are
> are follows:
>
> - printk a warning and ignore invalid selinux rules (but still hang on to them
> so they may be activated with a later policy reload).
Should this be a printk or an audit_log call?
> @@ -370,6 +410,14 @@ static int audit_compare_rule(struct aud
> if (audit_compare_watch(a->watch, b->watch))
> return 1;
> break;
> + case AUDIT_SE_USER:
> + case AUDIT_SE_ROLE:
> + case AUDIT_SE_TYPE:
> + case AUDIT_SE_SEN:
> + case AUDIT_SE_CLR:
> + if (strcmp(a->fields[i].se_str, b->fields[i].se_str))
> + return 1;
> + break;
Do you want to catch aliases here? If so, you need to have SELinux look
up the strings and compare the actual values. But possibly that isn't
critical for the purposes of just preventing duplicate filters.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list