--- Valdis.Kletnieks@private wrote: > Many auditing policies require an audit event to be > generated if the operation > is rejected by *either* the DAC (as implemented by > the file permissions > and possibly ACLs) *or* the MAC (as implemented by > the LSM exit). However, > in most (all?) cases, the DAC check is made *first*, > and the LSM exit isn't > even called if the DAC check fails. As a result, if > you try to open() a file > and get -EPERM due to the file permissions, the LSM > exit isn't called and > you can't cut an audit record there. The advice given by the NSA during our B1 evaluation was that is was that in the case above was that the MAC check should be done first (because it's more important) and because you want the audit record to report the MAC failure whenever possible. The team advised us that if we didn't do the MAC check first we would have a tough row to hoe explaining the design decision and an even tougher time explaining that the audit of MAC criteria had been met. ===== Casey Schaufler casey@schaufler-ca.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
This archive was generated by hypermail 2.1.3 : Wed Feb 16 2005 - 07:53:23 PST