RE: AVC messages
Stephen Smalley wrote:
But I don't see why that should prevent you
from handling
SELinux audit messages via auditd and directing them to a MAC
audit log
file. The kernel logging infrastructure can't really handle the
potential load of SELinux audit, and you don't really want
SELinux audit
messages intermingled with other kernel log messages.
What type of audit log separation are you suggesting?
I would think SELinux AVC messages could logged to separate location.
However, even a failed request because of DAC needs to have complete MAC
information (label/type) of subject and object in the audit record for LSPP.
Does this match up to what you were stating?
-Chad
____________________________
Chad Hanson
Senior Secure Systems Engineer
Trusted Computer Solutions
121 W Goose Alley
Urbana, IL 61801
www.TrustedCS.com
V: 217.384.0028 ext.12
F: 217.384.0288