On Fri, 2006-09-15 at 15:16 -0400, Steve Grubb wrote: > On Thursday 14 September 2006 18:56, Klaus Weidner wrote: > > The cleaner solution would be to have an audit record. > > OK, we'll make some patches to fix this.
Are you sure? What do you want to audit? newrole -r typoinrolename ? newrole -r sysadm_r for user not authorized for that role? any error exit path out of newrole? The first two cases look exactly identical to newrole btw - it just gets an error from security_check_context() telling it that the context wasn't valid, not why. > What other SE Linux programs are > considered "trusted" and require audit messages when they fail to be used > properly? The only other program that I can think of that is audit enhanced > is semanage. semodule came up recently (in order to distinguish different module operations at finer granularity than the kernel can see). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
