[rsbac] Re: Thoughts on the "No Linux Security Modules framework" old claims

Casey Schaufler casey at schaufler-ca.com
Wed Feb 16 16:52:51 CET 2005

--- Valdis.Kletnieks at vt.edu wrote:

> Many auditing policies require an audit event to be
> generated if the operation
> is rejected by *either* the DAC (as implemented by
> the file permissions
> and possibly ACLs) *or* the MAC (as implemented by
> the LSM exit).  However,
> in most (all?) cases, the DAC check is made *first*,
> and the LSM exit isn't
> even called if the DAC check fails.  As a result, if
> you try to open() a file
> and get -EPERM due to the file permissions, the LSM
> exit isn't called and
> you can't cut an audit record there.

The advice given by the NSA during our B1
evaluation was that is was that in the case
above was that the MAC check should be done
first (because it's more important) and
because you want the audit record to report
the MAC failure whenever possible. The
team advised us that if we didn't do the MAC
check first we would have a tough row to hoe
explaining the design decision and an even
tougher time explaining that the audit of
MAC criteria had been met.

Casey Schaufler
casey at schaufler-ca.com

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the rsbac mailing list