Re: [redhat-lspp] Re: [patch] Full relabel audit event
On Friday 26 May 2006 13:05, Stephen Smalley wrote:
Hmmm...what is it that you actually want to do here?
We need to meet the requirements for LSPP where there is a relabel on boot,
but we do not want a record for each file that was touched. It was discussed
on the LSPP telecon a while back that just one record was sufficient.
If you only care about auditing autorelabel events, then I'd
suggest
generating the audit message from the autorelabel portion of rc.sysinit (via
a helper, I suppose), not from setfiles itself.
This is a shell script and cannot connect to libaudit.
If you want to audit all full relabels, then you need to instrument
more
than setfiles (e.g. restorecon -R / works just as well), and of course, you
potentially need to do something at the kernel level with audit filters or
auditallow rules in policy if you truly want to capture all relabels.
We get relabels by monitoring the setxattr syscall. But during bootup before
going interactive, we just want 1 message.
-Steve