[PATCH 0/2] SELinux Context Label based audit filtering

The following two patches provide filtering of audit messages based on any element of an SELinux context label (user, role, type, category, sensitivity). The first patch provides the kernel enhancements and the second patch provides user space enhancements. This functionality is required for certification by RBAC FAU_SEL.1.1(b) (Selective Audit), pasted here for reference: FAU_SEL.1 Selective Audit FAU_SEL.1.1 The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes: (a) Object identity, user identity, subject identity, host identity, and event type (b) Users belonging to a specified Role and Access types (e.g. delete, insert) on a particular object The LSPP/RBACPP certification efforts have taken SELinux roles to sufficiently satisfy RBAC's dependencies on role labels. An SELinux label, however, contains additional object classifying elements. Only incremental effort beyond my original work to add role-based audit message filtering resulted in the ability for administrators to filter based on any part of the SELinux label. I expect that functionality to generally useful and probably expected by users who would have the ability to filter on roles. Additionally, I extended my previous work on audit comparators support to apply to strings, such that label elements may be compared with (=, ! =, >=, <=, >, <). Although supported, the fact that "user_u">"root" is less useful, than, say "s1"<"s3". Simply the fact that such comparators are supported should reduce the complexity of some esoteric ranges various users of audit might require. These patches make use of the new audit_rule_data structure put forth by Amy Griffis, which I have been testing extensively during my development. Her patches are required in order to pass arbitrary length strings as part of the audit rules to and from the kernel. My patches depend on two patches she posted on this list (linux-audit(a)redhat.com), and are identified in the following two messages. :-Dustin