Re: [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred

From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date: Wed, 26 Sep 2007 10:14:47 -0400

On Wed, 2007-09-26 at 14:30 +0100, David Howells wrote:

Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:

Precisely when to use one identity vs. the other though isn't always
clear, and the potential for accidental divergence is also a concern.

What should auditing use in audit_filter_rules() when dealing with
AUDIT_SUBJ_* cases? Should the SUBJ cases use the subjective SID and the
AUDIT_OBJ_* cases use the objective SID? On the other hand AUDIT_OBJ_* cases
don't seem to have anything to do with tasks.

(cc'd linux-audit)

As you say, I don't think AUDIT_OBJ_* has anything to do with tasks,
just object labels (like inode labels).

I think you likely want the actor SID / subject SID or whatever you want
to call it for AUDIT_SUBJ_*.

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

References:
- Re: [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred
  - From: Stephen Smalley
- [PATCH 0/3] Introduce credential record
  - From: David Howells
- [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred
  - From: David Howells
- Re: [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred
  - From: Serge E. Hallyn
- Re: [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred
  - From: David Howells

Prev by Date: Re: [PATCH] ahci: enable GHC.AE bit before set GHC.HR
Next by Date: [PATCH 10/24] FS-Cache: Generic filesystem caching facility
Previous by thread: Re: [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred
Next by thread: Re: [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred
Index(es):
- Date
- Thread

Relevant Pages

Re: UserName of the use who last modified a file in Windows
... audititing system traces the user's SID and the object access. ... For there you *COULD* in theory to find out who was the last SID manipulating the file. ... Agreed, that's something you can do on a restricted level, say per file basis or folder (by activating the File auditing) depending on the systems activity, the problem is that the number of events can be so high, that the security log fills very quickly. ...
(microsoft.public.dotnet.languages.csharp)
save sID during migrating from Samba to ADS to sIDHistory
... we want to migrate vom an Samba3 server to ADS and its necessary to save the old sIDs in teh sID History. ... "Its not possible to migrate the SIDs, because the auditing and 'TcpipClientSupport' in the Domain was not confirmed. ... Failed to add the source SID to the destination object's SID ...
(microsoft.public.windows.server.active_directory)