Re: exclude rule help

[LC Bruzenak <lenny@magitekltd.com>]

On Thu, 2009-06-25 at 20:22 -0400, Steve Grubb wrote:
> On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> > Anyone have a good idea of how to discard all these events? Ideally the
> > caller would send in a self-generated event such as "ryncing rick/src2/
> > to /temp-home" or similar. This is for a dedicated file backup
> > procedure.
> >
> > Obviously I do not want to discard all rsync events, just when launched
> > by our trusted program. Nor would I really want all that program's
> > events discarded since I want it to be able to submit proactive events
> > which summarize its behavior.
> 
> With SE Linux, you can create different subject types based on how the 
> application was started. Then you can exclude based on the type you assign to 
> your subject whenever started by your trusted program.
> 
> -Steve

Right, but wouldn't that preclude that same program from being able to
proactively submit its own records and also stop any inadvertent audit
events?

I guess I could:
1: start the first process with type1, let type1 audit what it plans to
do, then it could fork/exec/transition to type2.
2: the new process type2 could then run the rsync stuff. I could exclude
all the type2 records
3: the parent would wait for the child to complete and, based on the
exit code, audit success/failure as appropriate?

I guess this is the best way forward, however it scares me a little that
no events will then be logged from the process of that type2. If I
protect it I guess it's OK.

Thx!
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com