From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Re: SELinux for auditing
Date: Fri, 02 Feb 2007 12:37:17 +0000
Message-ID: <1170419837.6772.14.camel@localhost.localdomain>
References: <1170202290.4168.14.camel@localhost.localdomain>
	<200702010936.59578.sgrubb@redhat.com>
	<1170341940.12293.124.camel@moss-spartans.epoch.ncsc.mil>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1826833166=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from [192.168.250.101] (sebastian-int.corp.redhat.com
	[172.16.52.221])
	by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l12Jp2j5024516
	for <linux-audit@redhat.com>; Fri, 2 Feb 2007 19:51:04 GMT
In-Reply-To: <1170341940.12293.124.camel@moss-spartans.epoch.ncsc.mil>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============1826833166==
Content-Type: multipart/alternative; boundary="=-yJXNFZXyUTCdnQ+8zoyQ"


--=-yJXNFZXyUTCdnQ+8zoyQ
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Thu, 2007-02-01 at 09:59 -0500, Stephen Smalley wrote:
> Also, he mentioned RHEL 4 as his platform, so I would tend to think that
> his kernel and auditctl wouldn't support this anyway.  So he may be
> limited to using auditallow statements in policy, which is certainly
> legitimate use of them (although I understand your goal of centralizing
> audit configuration).

It is for RHEL 4, so the above won't work. How much of the functionality
is in userspace, and how much requires extra kernel bits? In short, can
I recompile the RHEL5 auditd for RHEL4 and expect to get additional
functionality?

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-yJXNFZXyUTCdnQ+8zoyQ
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.12.0">
</HEAD>
<BODY>
On Thu, 2007-02-01 at 09:59 -0500, Stephen Smalley wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Also, he mentioned RHEL 4 as his platform, so I would tend to think that</FONT>
<FONT COLOR="#000000">his kernel and auditctl wouldn't support this anyway.  So he may be</FONT>
<FONT COLOR="#000000">limited to using auditallow statements in policy, which is certainly</FONT>
<FONT COLOR="#000000">legitimate use of them (although I understand your goal of centralizing</FONT>
<FONT COLOR="#000000">audit configuration).</FONT>
</PRE>
</BLOCKQUOTE>
<BR>
It is for RHEL 4, so the above won't work. How much of the functionality is in userspace, and how much requires extra kernel bits? In short, can I recompile the RHEL5 auditd for RHEL4 and expect to get additional functionality?<BR>
<BR>
Matt<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>
-- 
Red Hat, Global Professional Services

M:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +44 (0)7977 267231
GPG ID:&nbsp; D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
</PRE>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-yJXNFZXyUTCdnQ+8zoyQ--


--===============1826833166==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1826833166==--