[redhat-lspp] Re: [patch] Full relabel audit event
Steve Grubb
sgrubb at redhat.com
Tue May 30 13:22:44 UTC 2006
On Friday 26 May 2006 13:05, Stephen Smalley wrote:
> Hmmm...what is it that you actually want to do here?
We need to meet the requirements for LSPP where there is a relabel on boot,
but we do not want a record for each file that was touched. It was discussed
on the LSPP telecon a while back that just one record was sufficient.
> If you only care about auditing autorelabel events, then I'd suggest
> generating the audit message from the autorelabel portion of rc.sysinit (via
> a helper, I suppose), not from setfiles itself.
This is a shell script and cannot connect to libaudit.
> If you want to audit all full relabels, then you need to instrument more
> than setfiles (e.g. restorecon -R / works just as well), and of course, you
> potentially need to do something at the kernel level with audit filters or
> auditallow rules in policy if you truly want to capture all relabels.
We get relabels by monitoring the setxattr syscall. But during bootup before
going interactive, we just want 1 message.
-Steve
More information about the Linux-audit
mailing list