[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Klaus Weidner
klaus at atsec.com
Thu Oct 5 22:47:34 UTC 2006
On Tue, Oct 03, 2006 at 04:38:48PM -0700, Casey Schaufler wrote:
> --- Linda Knippers <linda.knippers at hp.com> wrote:
> > It has a requirement to be able to audit all modifications of the
> > values of security attributes, so we can audit a bunch of syscalls
> > that do that (chmod, chown, setxattr, ...). Relabeling files would
> > definitely count and be covered. There's also a requirement about
> > auditing changes to the way data is imported/exported, so this is
> > where the networking stuff comes in. I don't know about domain
> > transitions.
>
> I think you would have trouble arguing that a domain transition is not
> a change in the security state of the system. For the evaluations I
> worked auditing was required for any change to uids, gids,
> capabilities, sensitivity, integrity, or any other security relevent
> attribute.
Yes, it is a change in the process security state.
Domain transitions are auditable already - dynamic transitions through
the auditallow rules on /proc/$PID/attr/*, and automatic transitions by
putting filesystem watches on the *_exec_t binaries you're interested in.
-Klaus
More information about the redhat-lspp
mailing list