[redhat-lspp] RBAC Roles
Steve Grubb
sgrubb at redhat.com
Wed Sep 21 19:28:25 UTC 2005
On Wednesday 21 September 2005 15:17, Stephen Smalley wrote:
> > We also need to have a way to suppress these audits. FAU_SEL.1 says we
> > have to have the ability to exclude events based on sensitivity labels.
> > One idea I had was that we could put a filter in audit_log_end, however,
> > the message is in text by that time and we may need to do a numeric
> > lookup. How should we handle this requirement?
>
> Hmm...we could add an equivalent to the TE dontaudit rules to the MLS
> policy, based on levels rather than types. That would keep it in
> policy.
I don't like it being in policy for the simple reason that we want to keep
people out of it as much as possible. (Potential for a lot of support
problems since we don't know what else they may have accidentally deleted or
typed.)
> If you want to do it via the audit subsystem, then if we have the
> ability to specify auditctl rules based on levels, then I would think
> you could just specify it using a never rule for the desired level. But
> you would need to change avc_audit to only queue up audit records on the
> audit context rather than immediately emitting audit messages itself,
> and defer the generation for them all until audit_syscall_exit so that
> the syscall filter could suppress it.
That seems the best way to go. Unless there are any objections, this is how
we'll do it.
-Steve
More information about the redhat-lspp
mailing list