Calculated field / command to determine category violation in SELinux AVCs #7
Labels
Comments
|
Confirmed category constraint violation AVC looks the same as domain/type policy violation. See example below: |
|
Once this feature is working, the TE dashboard should then filter out information-flow constraint violations (or at least add it as a checkbox option) so only domain/type AVCs are represented; then create a new MLS/MCS dashboard. |
|
Created POC external command lookup to do this, but naturally it's not ready for v2.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be very useful to have a calculated field (eval) which automatically compares the category set of the subject and object to determine a violation of the MCS policy (however it may be too complex for an eval and therefore require a new command would be required). In this way, a user could simply alert upon a search such as: eventtype=auditd_events type=AVC category_violation=true
Doing the equivalent for clearance/sensitivity would be a great deal easier I think, but so few people use SELinux as a Trusted System, so it doesn't seem like a priority at this stage.
The text was updated successfully, but these errors were encountered: