On Tue, 12 Aug 2003 11:42:10 EDT, Ripin Natani <ripinfsat_private> said: > I was going through the mail archives and found a lot of mails debating = > about the inclusion of auditing. So what is the status of auditing with = > SELinux ? I Auditing is *OUT*, currently. The biggest problem is that any proper auditing scheme would require the logging of "fail" and "succeed" records for cases where the code had made the decision long before it ever got to the LSM hook. The canonical example is 'touch foo; chmod 0 foo; cat foo" - there needs to be a "fail" logged on the permissions check, which never bothers calling LSM because it already KNOWS it has failed. To fix this would require one of: 1) *MUCH* more intrusive hooking to add logging at the appropriate points. 2) Changing LSM to be an "authoritative" rather than "restrictive" system, so the LSM hooks would ALWAYS be called. Both were considered undoable for the 2.6 timeframe.
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 08:54:36 PDT