[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Linda Knippers
linda.knippers at hp.com
Tue Oct 3 21:47:37 UTC 2006
Karl MacMillan wrote:
> Linda Knippers wrote:
>
>> Joshua Brindle wrote:
>>
>>
>>> Linda Knippers wrote:
>>>
>>>
>
> <snip>
>
>>>> If we go the auditallow route then we lose some audit record management
>>>> features, like the ability to enable/disble/search for these records,
>>>> don't we? Do we care?
>>>
>>> enable and disable with a boolean
>>>
>>> searching? surely you can search avc records..
>>
>> I meant with the audit tools, so using auditctl to add/remove rules and
>> ausearch for looking for specific record types.
>>
>
> As I said in my other mail the searching should be fine. Why does the
> addition or removal need to be handled by auditctl?
There was a discussion a long, long time about about how administrators should
manage what gets into the audit logs, whether its with the audit tools, the
policy or both. There are explicit message types for alot of management
operations so that the admin can decide whether to get them and the tools
make it easy to search for. If changing the ipsec label configuration is just
an AVC message, it will be different from just about everything else. It might
be easy, but is it what we want?
I wish sgrubb were reading mail today. I think this is something that he
cares about, at least he did the last time we had this conversation.
-- ljk
More information about the redhat-lspp
mailing list