[PATCH] context based audit filtering (take 3)

[Darrel Goeddel]

Stephen Smalley wrote:
> On Tue, 2006-02-21 at 17:59 -0600, Darrel Goeddel wrote:
> 
>>The updated version of Dustin's patch I referred to is below.  The changes are
>>are follows:
>>
>>- printk a warning and ignore invalid selinux rules (but still hang on to them
>>  so they may be activated with a later policy reload).
> 
> 
> Should this be a printk or an audit_log call?

Steve G had suggested syslogging it, so I went with the printk.  What would
be more noticeable?

>>@@ -370,6 +410,14 @@ static int audit_compare_rule(struct aud
>> 			if (audit_compare_watch(a->watch, b->watch))
>> 				return 1;
>> 			break;
>>+		case AUDIT_SE_USER:
>>+		case AUDIT_SE_ROLE:
>>+		case AUDIT_SE_TYPE:
>>+		case AUDIT_SE_SEN:
>>+		case AUDIT_SE_CLR:
>>+			if (strcmp(a->fields[i].se_str, b->fields[i].se_str))
>>+				return 1;
>>+			break;
> 
> 
> Do you want to catch aliases here?  If so, you need to have SELinux look
> up the strings and compare the actual values.  But possibly that isn't
> critical for the purposes of just preventing duplicate filters.

I like treating them separately because the are conceptually different to the
creator of the audit rules.  If X and Y are both types in the policy, then we
should be able to define rules based on them.  And yes... this kinda goes back
to keeping rules around even if they are currently invalid (or aliases).
Lets say that the current policy has X aliased to Y, and a ploicy reload
results in X and Y being distinct types - I think the audit rules should be in
there for X and Y.

If we do away with the idea of invalid (or aliased) rules around, we could add
in a comparator function for selinux, but I think we are fine the way it is.

-- 

Darrel