On Tue, Aug 08, 2006 at 12:52:37PM -0400, Stephen Smalley wrote: > Not sure if it would satisfy the need, but you could put auditallow > statements in the policy to trigger SELinux audit messages (and thus > also syscall audit messages at syscall exit) for these kinds of > operations, e.g. > # Audit setting of fscreate attribute. > auditallow domain self:process setfscreate; > or > # Audit writing to all /proc/pid files. > auditallow domain self:file write;
This sounds like a good solution, I didn't know that this works. Can someone verify that the audit record contains the LSPP required data such as the subject label? (My RHEL system currently doesn't boot since VMWare appears not to like the lspp.46 kernel, I haven't had time yet to look into it.) -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
