[PATCH] context based audit filtering (take 3)
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 24 13:32:25 UTC 2006
On Thu, 2006-02-23 at 17:31 -0600, Darrel Goeddel wrote:
> Stephen Smalley wrote:
> > On Tue, 2006-02-21 at 17:59 -0600, Darrel Goeddel wrote:
> >
> >>The updated version of Dustin's patch I referred to is below. The changes are
> >>are follows:
> >>
> >>- printk a warning and ignore invalid selinux rules (but still hang on to them
> >> so they may be activated with a later policy reload).
> >
> >
> > Should this be a printk or an audit_log call?
>
> Steve G had suggested syslogging it, so I went with the printk. What would
> be more noticeable?
Anything user-triggerable should likely be using audit_log. Internal
kernel errors reflecting a bug within the kernel might still use
printk(KERN_ERR...). But I think we want to migrate SELinux and audit
over to using audit_log whenever possible, only using printk as the
fallback for things like audit_panic, no audit daemon, etc.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list