From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Re: [patch] Full relabel audit event Date: Tue, 30 May 2006 09:22:44 -0400 Message-ID: <200605300922.44971.sgrubb@redhat.com> References: <1148590901.8828.22.camel@code.and.org> <1148663120.20976.235.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1148663120.20976.235.camel@moss-spartans.epoch.ncsc.mil> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: redhat-lspp-bounces@redhat.com Errors-To: redhat-lspp-bounces@redhat.com To: redhat-lspp@redhat.com Cc: James Antill , linux-audit@redhat.com, Stephen Smalley , selinux@tycho.nsa.gov List-Id: linux-audit@redhat.com On Friday 26 May 2006 13:05, Stephen Smalley wrote: > Hmmm...what is it that you actually want to do here? We need to meet the requirements for LSPP where there is a relabel on boot, but we do not want a record for each file that was touched. It was discussed on the LSPP telecon a while back that just one record was sufficient. > If you only care about auditing autorelabel events, then I'd suggest > generating the audit message from the autorelabel portion of rc.sysinit (via > a helper, I suppose), not from setfiles itself. This is a shell script and cannot connect to libaudit. > If you want to audit all full relabels, then you need to instrument more > than setfiles (e.g. restorecon -R / works just as well), and of course, you > potentially need to do something at the kernel level with audit filters or > auditallow rules in policy if you truly want to capture all relabels. We get relabels by monitoring the setxattr syscall. But during bootup before going interactive, we just want 1 message. -Steve -- redhat-lspp mailing list redhat-lspp@redhat.com https://www.redhat.com/mailman/listinfo/redhat-lspp