[rsbac] Re: Thoughts on the "No Linux Security Modules framework" old claims

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Feb 16 18:41:19 CET 2005


On Wed, 16 Feb 2005 07:52:51 PST, Casey Schaufler said:

> The advice given by the NSA during our B1
> evaluation was that is was that in the case
> above was that the MAC check should be done
> first (because it's more important) and
> because you want the audit record to report
> the MAC failure whenever possible. The
> team advised us that if we didn't do the MAC
> check first we would have a tough row to hoe
> explaining the design decision and an even
> tougher time explaining that the audit of
> MAC criteria had been met.

Fine advice, if the LSM exits had in fact been structured that way.
But the LSM hooks are where they are, and as a result not useful for
auditing.  As others noted, the current 2.6 kernel *does* have a separate
audit framework (although it will still report DAC failures in preference
to MAC failures).

I admit having no good idea how to solve that issue, other than having the
audit framework do a dummy LSM call to see if a MAC failure would have been
reported as well if it's an audited syscall.  But that's still quite high
on the bletcherous scale....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20050216/2b658315/attachment.bin


More information about the rsbac mailing list