[redhat-lspp] RBAC Roles

[Stephen Smalley]

On Wed, 2005-09-21 at 15:41 -0400, Stephen Smalley wrote:
> Another issue here is that the audit filters are applied at the end of
> the operation, so any filtering based on _object_ level (versus process
> level) may be complicated.  You don't have the object anymore, and you
> have the aggregation of data for all objects accessed during the
> syscall.  With the patch from Dustin/Dan, you will have the object
> security context strings saved in the audit context, but you still have
> to pick the "right" one, split out its parts, and compare strings or map
> to a value.

Hmm...this is clearly not satisfying.

Options:
- Extend SELinux policy and kernel security server to support
level-based auditallow and dontaudit rules, and provide a utility to
configure them separately from any other kind of policy change.  Provide
a front-end interface that internally uses both auditctl and this new
utility as needed to appropriately get and set the overall audit policy.
- Modify LSM and/or SELinux to invoke the audit subsystem from the
hooks, allowing the audit subsystem to check object-based filters from
the hooks to select audit generation, and extend auditctl to allow
configuration of these object-based filters in addition to the syscall
audit filters.

Seems like the former is actually easier to implement...
 
-- 
Stephen Smalley
National Security Agency