Re: [PATCH] audit: Match SELinux context in "user" records
On Mon, 2009-11-09 at 16:10 +0100, Miloslav Trmač wrote:
From: Miloslav Trmac <mitr(a)redhat.com>
Add support for matching by security label (e.g. SELinux context) of
the sender of an user-space audit record.
The audit filter code already allows user space to configure such
filters, but they were ignored during evaluation. This patch implements
evaluation of these filters.
For example, after application of this patch, PAM authentication logs
caused by cron can be disabled using
auditctl -a user,never -F subj_type=crond_t
Signed-off-by: Miloslav Trmac <mitr(a)redhat.com>
I wish there was a way to stop sending these instead of dropping them
later, but the functionality itself is not a horrid idea and this isn't
a performance hot list (like the syscall list) so.....
Acked-by: Eric Paris <eparis(a)redhat.com>
(I actually talked to Al about it already and he'll queue it up for the
next merge window)