On Tue, 2006-08-08 at 15:53 -0400, Daniel J Walsh wrote: > Klaus Weidner wrote: > > On Tue, Aug 08, 2006 at 04:22:54PM -0300, Thiago Jung Bauermann wrote: > > > >> We did one test with the auditallow rule for write and another with the > >> auditallow rule for setfscreate. The records found in the audit log for > >> both tests are attached. The difference is that the auditallow rule for > >> the write operation adds PATH and AVC_PATH audit records, while the > >> setfscreate rule just generates AVC and SYSCALl records. > >> > > > > Thanks for testing! The record is fine, the path information isn't needed > > since the AVC record contains both the PID and the operation type > > (setfscreate). It's more informative than the write record. > > > > Can a loadable policy module add "auditallow" entries like these, or does > > this need to go into the base policy? > > > They can be in modules.
Yes, we tested this with a small loadable policy module. Dan, in your opinion is a loadable module the best way to handle this? I guess since the existing allow/fscreate line is in base_user_template a module can apply the change only for lspp evaluation system. > > > >> Both mention the pid and security context of the subject changing the > >> fscreate file both in the AVC message and in the SYSCALL message, but > >> none of them displays the new contents of the fscreate file. > >> > >> Klaus: do you think the info there is sufficient for LSPP? > >> > > > > It would be nice to have the new fscreate context in the log, but it's > > not required by LSPP. (The "additional event details" column doesn't list > > it, and it's not one of the standard required audit record fields.) > > > > -Klaus > > > > -- > > redhat-lspp mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/redhat-lspp > > > > -- > redhat-lspp mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/redhat-lspp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
