--- Stephen Smalley <sds@private> wrote: > On Wed, 2005-02-02 at 08:50, Stephen Smalley wrote: > > Actually, on second thought, I wonder if > selinux_netlink_recv should be > > calling avc_audit() upon a denial, as otherwise we > will see no audit > > message for a denial even it is caused by the > SELinux computation in > > selinux_netlink_send. Similar issue for the audit > subsystem's > > capability checks on the receiver side. > > Hmmm...except that we won't have the sender's SID > available to us in > selinux_netlink_recv(), so auditing would just occur > in the receiver's > context, possibly incorrectly. Auditing BSDIPC is an adventure, to be sure. Generating audit records for failed delivery on the receiver side is, as y'all point out, of questionable value without the information about the sender. The issue has been addressed successfully in past evaluations. For UNICOS (anyone remember Cray Reseasrch?) the evaluation was done under the Red Book model, which treated the computer as a network component and all network connections as login sessions. Since each connection was a login and authenticated (for some value thereof) the information to put in the audit trail was available, albiet not always was it all that useful. The set of services available was pretty limited so as to avoid excessive debate regarding the strength of authentication. For Trusted Irix (and later Irix) the evaluation was done under the Orange Book model and a collection of computers were treated as a single system, what we would today call a cluster. While auditing is done on the receiver side it is only useful in conjunction with records generated on the sender. The sender side records contain all required information, while receiver side records include what they can. The assumption that all senders are audited makes this work. The UNICOS scheme is more in tune with modern deployment, hence providing better guidence. If you expect to allow a system to provide network services you need to include an argument as to how it is all the services are login sessions, and how it is the user information is provided, even if that means that you have to make it up. ===== Casey Schaufler casey@schaufler-ca.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
This archive was generated by hypermail 2.1.3 : Wed Feb 02 2005 - 08:42:57 PST