Getting the program name in audit messages
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 1 13:35:44 UTC 2005
On Fri, 2005-04-01 at 14:36 +0100, David Woodhouse wrote:
> Setting the auditable flag is only going to cause audit_log_exit() to be
> called on syscall exit _if_ audit_syscall_exit() is actually called.
>
> That's often in the slow path of the syscall return, and triggered only
> if something like TIF_SYSCALL_AUDIT is set in the thread_info flags.
Sorry, do you have an example of where this would be a problem?
Also, the only truly required information in avc_audit is the relevant
security contexts, security class, and permission(s); everything else is
just supplemental data to help track down the causes of policy denials.
I always expected that the audit framework would ultimately take over
handling of such supplemental data for SELinux, leaving it to only deal
with the MAC-specific information.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list