On Fri, 2021-01-01 at 12:45 +0530, Ashish Mishra wrote: > Hi Group Members , > > Good Morning & Happy new Year ! > > Can group member please provide any input / feedback for below > functionality support in SELINUX : > > a) Is there any mechanism to generate an event / notification for > selinux denials > I came across Logstash, Logentries and Splunk , which i am > currently looking at. > Is there any selinux equivalent plugin or any other way for > selinux specific. Have you looked at using the audit log services (auparse, ausearch etc.): This has the code and a number of examples for detecting AVC entries: https://github.com/linux-audit/audit-userspace Some sample programs here; https://security-plus-data-science.blogspot.com/2017/04/writing-basic-auparse-program.html This is an example where I wanted to detect specific events in the testsuite (you should be able to pick the relevant bits): https://lore.kernel.org/selinux/20201104164913.11536-2-richard_c_haines@xxxxxxxxxxxxxx/ > > b) Is there any mechanism to block certain system call / library > calls ? > I came across "seccomp" from https://lwn.net/Articles/656307/ > But is there any selinux equivalent plugin or any other way for > selinux specific. > or "seccomp" should be the preferred way for this task . > > Any pointer / feedback / inputs will be helpful on the same > > > Thanks , > Ashish > Thanks , > Ashish > > > > > On Sun, Dec 27, 2020 at 2:17 PM Ashish Mishra <ashishm@xxxxxxxxxx> > wrote: > > > > Hi All , > > > > For one of our internal projects we wanted to evaluate the > > functionality below . > > Can group member please share any input w.r.t below aspect can be > > implemented or any pointers on same : > > > > a) Is there any mechanism to generate an event / notification for > > selinux denials > > ( like say we have an action which is denied , so instead of > > user > > reading log > > file if there is any notification mechanism which can be used > > ) > > > > b) If there is any mechanism to block calling of certain system > > call's > > / library calls . > > ( idea is to discourage certain instances of container to avoid > > calling some > > predefined system call & library functions ) > > > > Any pointers or comments or feedback on these two points will be > > helpful . > > > > Thanks , > > Ashish
