[redhat-lspp] exporting data, device allocator, etc

Wed Nov 2 17:31:06 UTC 2005

On Wednesday 02 November 2005 12:18, Russell Coker wrote:
> The media itself will be removable_device_t.  So if you want to audit
> writing to a CD/DVD (assuming it's not a DVD-RAM which may work differently
> - I've never used one) then you will be auditing writing to the
> removable_device_t type of device node.

This might be how SE Linux looks at the world, but the audit system is what we 
want to use. You would really do it something like this:

[root at discovery ~]# ls -l /dev/cdrom
lrwxrwxrwx  1 root root 3 Nov  2 03:11 /dev/cdrom -> hdc
[root at discovery ~]# stat /dev/hdc
  File: `/dev/hdc'
  Size: 0               Blocks: 0          IO Block: 4096   block special file
Device: fh/15d  Inode: 608         Links: 1     Device type: 16,0
Access: (0600/brw-------)  Uid: ( 4325/  sgrubb)   Gid: (    6/    disk)
Access: 2005-11-02 03:11:19.212251750 -0500
Modify: 2005-11-02 03:11:19.212251750 -0500
Change: 2005-11-02 08:12:34.000000000 -0500

[root at discovery ~]# auditctl -a exit,always -S open -F devmajor=16 -F 
devminor=0

> Therefore the issue we face is auditing the files read by the cdrecord
> program.  Configuring the system to audit file reads by user_cdrecord_t
> etc by the use of auditallow rules is easy enough.

No. We need to use the audit system for auditing.

> The next issue is floppy disks, USB mass storage and other removable
> media that might be auto-mounted.  

Automounting is forbidden by LSPP.

> Other discussion suggested that USB mass storage would not be supported, but
> floppies have the same issues. The issue is that the system assigns the type
> dosfs_t to all MS-DOS based file systems by default and the Red Hat
> configuration is to use a context mount to assign the type removable_t (with
> wide access permitted in the strict policy).

Audit system not SE Linux...

-Steve