Re: need rules help

Sunday, 9 August 2009

On Saturday 08 August 2009 01:59:53 pm LC Bruzenak wrote:
...
 > The issue is that SE Linux AVCs travel a different path. When an
AVC
 > denial occurs and there is not a dontaudit associated with it, it sends
 > the event straight to the netlink queue. To suppress an AVC, you would
 > need to make a change to SE Linux policy. The SE Linux folks wanted to
 > make sure there was no way to suppress an AVC without explicitly stating
 > so in policy.

 Bummer. But thanks for the explanation; that makes sense...sort of.
 Does the "exclude" rule then work for msgtype=AVC (as the manpage says)?
 If so, seems like a broad stroke is allowed whereas detailed exclusion
 isn't. 
Did some more digging on this and found I missed a line of code.

http://lxr.linux.no/linux+v2.6.30.4/kernel/audit.c#L1167

When audit_log_start is called to create an AVC, it calls audit_filter_type() 
which is the exclude filter.

http://lxr.linux.no/linux+v2.6.30.4/kernel/auditfilter.c#L1743

At line 1757, you can see that it only cares about the event type field. It 
does not check any other fields that you might have in the rule such as 
subjects. Originally there was some discussion about not allowing the audit 
system to suppress AVC's since correcting policy is really the best way to go.

So, I think yes you can suppress AVC's. But its all AVC's and not any 
particular one. It seems like it would be trivial to add some more checking to 
the type filter to better tune what is being thrown away.

-Steve

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: need rules help