On Mon, 5 Apr 2004 22:51, Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote: > identity using that audit framework rather than SELinux. Also, the > existing SELinux auditing of permission checks could be configured to > audit all transitions to and from the su domains, such that the SELinux > user identity transitions would be logged as they occur, e.g. adding > something like 'auditallow $1_t $1_su_t:process transition; auditallow > $1_su_t userdomain:process transition;' to > policy/macros/program/su_macros.te (caveat: untested). The problem with this is that you need to analyse a lot of log data to get the result. Someone could run su days or weeks before performing an action that is undesirable. The audit framework can be used instead, it's just another thing that we have to learn and support in our log file analysis programs. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
