[PATCH] audit: Match SELinux context in "user" records
Eric Paris
eparis at redhat.com
Mon Nov 9 18:21:13 UTC 2009
On Mon, 2009-11-09 at 16:10 +0100, Miloslav Trmač wrote:
> From: Miloslav Trmac <mitr at redhat.com>
>
> Add support for matching by security label (e.g. SELinux context) of
> the sender of an user-space audit record.
>
> The audit filter code already allows user space to configure such
> filters, but they were ignored during evaluation. This patch implements
> evaluation of these filters.
>
> For example, after application of this patch, PAM authentication logs
> caused by cron can be disabled using
> auditctl -a user,never -F subj_type=crond_t
>
> Signed-off-by: Miloslav Trmac <mitr at redhat.com>
I wish there was a way to stop sending these instead of dropping them
later, but the functionality itself is not a horrid idea and this isn't
a performance hot list (like the syscall list) so.....
Acked-by: Eric Paris <eparis at redhat.com>
(I actually talked to Al about it already and he'll queue it up for the
next merge window)
More information about the Linux-audit
mailing list