* audit policy tag?
@ 2002-01-10 19:41 Shaun Savage
2002-01-10 20:02 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Shaun Savage @ 2002-01-10 19:41 UTC (permalink / raw)
To: selinux
Is the a policy tag that would allow a audit trail? I see a audit on
failure, but I would like to see audit trail on success also. I would
assume success audit would require a tag
audit zot_t zot_t:file read
when executating in zot_t domain a read of a zot_t file would write
something to the log.
Also is there a way to redirect the log to something other than syslog?
Shaun
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: audit policy tag?
2002-01-10 19:41 audit policy tag? Shaun Savage
@ 2002-01-10 20:02 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2002-01-10 20:02 UTC (permalink / raw)
To: Shaun Savage; +Cc: selinux
On Thu, 10 Jan 2002, Shaun Savage wrote:
> Is the a policy tag that would allow a audit trail? I see a audit on
> failure, but I would like to see audit trail on success also. I would
> assume success audit would require a tag
> audit zot_t zot_t:file read
> when executating in zot_t domain a read of a zot_t file would write
> something to the log.
By default, everything is audited on denial and nothing is audited on
success. However, you can configure specific cases using the 'auditdeny'
and 'auditallow' rules in the TE configuration. Typically, when using
'auditdeny' you are reducing the set of audited permissions, which is why
those rules use '~' to obtain the complement of a set. An example of
'auditallow' might be to audit every use of avc_toggle, which can be
achieved via:
auditallow { initrc_t sysadm_t } kernel_t:system avc_toggle;
> Also is there a way to redirect the log to something other than syslog?
At present, SELinux simply uses the existing kernel logging facility,
since developing an auditing subsystem was outside the scope of the
project. Of course, you can tell klogd to log kernel messages somewhere
other than syslog.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-01-10 20:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-01-10 19:41 audit policy tag? Shaun Savage
2002-01-10 20:02 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.