[redhat-lspp] userdomain policy question ..
Klaus Weidner
klaus at atsec.com
Tue Aug 8 19:47:04 UTC 2006
On Tue, Aug 08, 2006 at 04:22:54PM -0300, Thiago Jung Bauermann wrote:
> We did one test with the auditallow rule for write and another with the
> auditallow rule for setfscreate. The records found in the audit log for
> both tests are attached. The difference is that the auditallow rule for
> the write operation adds PATH and AVC_PATH audit records, while the
> setfscreate rule just generates AVC and SYSCALl records.
Thanks for testing! The record is fine, the path information isn't needed
since the AVC record contains both the PID and the operation type
(setfscreate). It's more informative than the write record.
Can a loadable policy module add "auditallow" entries like these, or does
this need to go into the base policy?
> Both mention the pid and security context of the subject changing the
> fscreate file both in the AVC message and in the SYSCALL message, but
> none of them displays the new contents of the fscreate file.
>
> Klaus: do you think the info there is sufficient for LSPP?
It would be nice to have the new fscreate context in the log, but it's
not required by LSPP. (The "additional event details" column doesn't list
it, and it's not one of the standard required audit record fields.)
-Klaus
More information about the redhat-lspp
mailing list