On Tue, Aug 08, 2006 at 09:19:20AM -0400, Janak Desai wrote: > On Mon, 2006-08-07 at 16:14 -0400, Stephen Smalley wrote: > > fscreate isn't a real file; it is just a kernel interface for setting an > > attribute of the process, like calling umask(2) to set the file mode > > creation mask. > > Good point. Just like we test (and audit) the use of umask system call, > we will have to audit the use of setfscreatecon.
Yes, it's security relevant with an audit requirement. LSPP pg. 22 in the audit table, 5.4.2 FMT_MSA.3 "all modifications of the initial value of security attributes". > Klaus, would it be sufficient, for meeting LSPP requirement, to > audit write(2) of the fscreate file? I guess you could argue that it meets the requirement, but it's extremely ugly since it'll be hard to audit selectively. I don't think there's a sane way to set filesystem watches on all /proc/$PID/attr/fscreate files to get those specifically, and you don't want to be auditing all open(2) calls. It would be much cleaner to have audit records specifically for the attr/* operations. I think they'll be fairly uncommon in general use, so I think it would be ok to always audit them without having specific auditctl filters. -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
