Re: [PATCH] support for context based audit filtering
Amy Griffis wrote:
On Fri, Mar 10, 2006 at 02:52:51PM -0600, Darrel Goeddel wrote:
>I like 'em. Here is a new patch that incorporates them. It also
>moves the initialization call to selinux into the audit_init
>function as you had suggested earlier. Look right?
You may want to audit_log a message indicating that the audit rules
were updated due to policy reload. And in the case when you remove a
rule because you couldn't update it, you might want to log that too.
We really aren't updating (or removing) the rule. We are only updating
an implementation specific piece of information relating to the rule.
If a rule references the type badapp_t, it will always reference that
type. The hidden selinux cache of information may change, but the
"spirit of the rule" is always the same. So my opinion is that noting
the update is unnecessary (syslog was a compromise from earlier...).
The removal case is handled by audit_panic because it indicates an real
failure in the audit internals somewhere.
--
Darrel