On Tue, 2005-01-04 at 16:20, Chad Hanson wrote:
What type of audit log separation are you suggesting?
First and foremost, just separating the SELinux audit messages from
other kernel log messages, i.e. don't send them to syslogd and don't put
them in /var/log/messages. Then, if desired, separate them from DAC
audit messages.
I would think SELinux AVC messages could logged to separate
location.
However, even a failed request because of DAC needs to have complete MAC
information (label/type) of subject and object in the audit record for LSPP.
That will require a callback by the kernel audit framework into the
security module to get the supplementary information (e.g. the security
contexts) for inclusion in the DAC audit record, as the kernel audit
framework has no direct knowledge of security contexts.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency