[redhat-lspp] RBAC Roles
Steve Grubb
sgrubb at redhat.com
Fri Sep 23 10:26:13 UTC 2005
On Thursday 22 September 2005 16:49, Ivan Gyurdiev wrote:
> I can write a patch that does this if you need it.
> int sepol_audit_everything(int on);
> int semanage_audit_everything(int on);
>
> Seems like just an application of avtab_map that looks
> at the rule type...
>
> OTOH a kernel hook to control this seems better to me also.
I think we need to do 3 things: 1) have auditctl convert from human readable
to the binary internal format for SE Linux, 2) from kernel/audit.c call a
hook inside security/selinux/ to a new function that takes the 1 line audit
rule and places it in the right place without reloading policy (this is only
to generate or suppress messages based on subject or object labels or roles)
3) create an interface where SE Linux passes arguments instead of text to the
audit system for further filtering. The audit system then calls
log_start/log_format/log_end to generate the message.
The audit system cannot touch MAC rules at all. Just the messaging that may
result from the evaluation of access requests. This is required to meet both
RBAC and LSPP.
-Steve
More information about the redhat-lspp
mailing list