From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 08 Oct 2008 15:49:25 -0400
Subject: [refpolicy] flask_access_vectors.patch
In-Reply-To: <200810061710.53807.sgrubb@redhat.com>
References: <48DAA8AE.8060708@redhat.com> <1223318125.2165.44.camel@gorn>
	<48EA6C6B.9020204@redhat.com>  <200810061710.53807.sgrubb@redhat.com>
Message-ID: <1223495365.2165.116.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2008-10-06 at 17:10 -0400, Steve Grubb wrote:
> On Monday 06 October 2008 03:52:11 pm Daniel J Walsh wrote:
> > Christopher J. PeBenito wrote:
> > > On Wed, 2008-09-24 at 16:53 -0400, Daniel J Walsh wrote:
> > >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/flask_access_vectors
> > >>.patch
> > >>
> > >> Add nlmsg_tty_audit for netlink_audit_socket.
> > >
> > > Is there a reference for this?  I don't remember seeing anything on the
> > > main SELinux list.
> >
> > This comes from the new auditing keystroke patch to the kernel. Not sure
> > if this was talked about on selinux or just audit list.
> >
> > Added sgrubb since I am not sure he is on the refpolicy list.
> 
> No I am not on that list. I sent a patch
> 
> http://article.gmane.org/gmane.comp.security.selinux/6759
> 
> a long time ago allowing better control of TTY audit because the alternative 
> is to allow setting audit rules on processes that we only need to send tty 
> info. So, this should reduce the capabilities required for some processes and 
> keep the audit system better protected. 
> 
> This is a more detailed description of what the audit side is:
> 
> https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html
> 
> Everything is in place to use this except SE Linux policy.

So the permission is in Linus' tree? or James'?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150