Re: New Audit types
On Wed, 02 Nov 2005 12:10:42 EST, Steve Grubb said:
On Wednesday 02 November 2005 11:43, Matt Anderson wrote:
>Here are the four types that were required for Cups
>
> AUDIT_LABELED_EXPORT
> AUDIT_UNLABELED_EXPORT
Just a generic question -- do we need to patch cat, cp, rsync, scp, star, ...
to have these, too?
What if they do:
file=`cat secret`
echo $file > /mnt/unlabeled-device/file
Would it be reasonable to expect the shell script trigger this event? If so,
would we need to patch all these apps or should this be done via kernel
mechanism? If catching this is reasonable...what about anything else like
perl, python, expect, etc.
Presumably, that should be failed by SELinux or something as a violation
of the appropriate MLS constraint - a process running at some level allowed
to run 'cat secret' shouldn't be allowed to write to an unlabeled device.
CUPS needs special handling because it acts as a proxy for the user, and also
has to potentially deal with users in different security boxes, so it has to
re-create much of the checking and labelling done by the operating system
when it's the user acting directly.
I think we also need these:
AUDIT_LABELED_IMPORT
AUDIT_UNLABELED_IMPORT
We'll probably eventually need these, but not within the context of CUPS, unless
there's a CUPS facility that can do such importing?
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)