From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: exclude rule help
Date: Thu, 25 Jun 2009 20:22:38 -0400
Message-ID: <200906252022.38719.sgrubb@redhat.com>
References: <1245967268.7681.8.camel@homeserver>
Mime-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1245967268.7681.8.camel@homeserver>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> Anyone have a good idea of how to discard all these events? Ideally the
> caller would send in a self-generated event such as "ryncing rick/src2/
> to /temp-home" or similar. This is for a dedicated file backup
> procedure.
>
> Obviously I do not want to discard all rsync events, just when launched
> by our trusted program. Nor would I really want all that program's
> events discarded since I want it to be able to submit proactive events
> which summarize its behavior.

With SE Linux, you can create different subject types based on how the 
application was started. Then you can exclude based on the type you assign to 
your subject whenever started by your trusted program.

-Steve