On Thu, 2020-01-02 at 09:06 -0800, Casey Schaufler wrote: > IMA refines security_audit_rule_init to security_filter_rule_init. > I need to understand what, if any, relationship there is between > IMA's use of the audit rule mechanisms and the audit system's use. > Is this simple code reuse, or is there some interaction between IMA > and audit? > > I'm trying to sort out the problem of audit rules when > there are multiple security modules. It looks as if there is also a > problem for integrity rules, but it looks different. The "easy" > change for audit doesn't fit with what's in IMA. If there's no > interaction between the IMA and audit use of the rule infrastructure > it's reasonable to fix them separately. If there is interaction > things get messy. They're both comparing rules with LSM labels. In IMA's case, the LSM labels are used to identify which files are in/out of the IMA policy - "measurement", "appraisal", and "audit". I'm not sure how different this is than the audit subsystem. Mimi
