Re: Thoughts on the "No Linux Security Modules framework" old claims

From: Valdis.Kletnieks@private
Date: Wed Feb 16 2005 - 09:41:19 PST


On Wed, 16 Feb 2005 07:52:51 PST, Casey Schaufler said:

> The advice given by the NSA during our B1
> evaluation was that is was that in the case
> above was that the MAC check should be done
> first (because it's more important) and
> because you want the audit record to report
> the MAC failure whenever possible. The
> team advised us that if we didn't do the MAC
> check first we would have a tough row to hoe
> explaining the design decision and an even
> tougher time explaining that the audit of
> MAC criteria had been met.

Fine advice, if the LSM exits had in fact been structured that way.
But the LSM hooks are where they are, and as a result not useful for
auditing.  As others noted, the current 2.6 kernel *does* have a separate
audit framework (although it will still report DAC failures in preference
to MAC failures).

I admit having no good idea how to solve that issue, other than having the
audit framework do a dummy LSM call to see if a MAC failure would have been
reported as well if it's an audited syscall.  But that's still quite high
on the bletcherous scale....





This archive was generated by hypermail 2.1.3 : Wed Feb 16 2005 - 09:41:59 PST