From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: exclude rule help
Date: Thu, 25 Jun 2009 20:22:05 -0500
Message-ID: <1245979325.7681.24.camel@homeserver>
References: <1245967268.7681.8.camel@homeserver>
	<200906252022.38719.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200906252022.38719.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Thu, 2009-06-25 at 20:22 -0400, Steve Grubb wrote:
> On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> > Anyone have a good idea of how to discard all these events? Ideally the
> > caller would send in a self-generated event such as "ryncing rick/src2/
> > to /temp-home" or similar. This is for a dedicated file backup
> > procedure.
> >
> > Obviously I do not want to discard all rsync events, just when launched
> > by our trusted program. Nor would I really want all that program's
> > events discarded since I want it to be able to submit proactive events
> > which summarize its behavior.
> 
> With SE Linux, you can create different subject types based on how the 
> application was started. Then you can exclude based on the type you assign to 
> your subject whenever started by your trusted program.
> 
> -Steve

Right, but wouldn't that preclude that same program from being able to
proactively submit its own records and also stop any inadvertent audit
events?

I guess I could:
1: start the first process with type1, let type1 audit what it plans to
do, then it could fork/exec/transition to type2.
2: the new process type2 could then run the rsync stuff. I could exclude
all the type2 records
3: the parent would wait for the child to complete and, based on the
exit code, audit success/failure as appropriate?

I guess this is the best way forward, however it scares me a little that
no events will then be logged from the process of that type2. If I
protect it I guess it's OK.

Thx!
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com