[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Steve Grubb
sgrubb at redhat.com
Tue Sep 27 19:23:39 UTC 2005
On Tuesday 27 September 2005 01:57, Valdis.Kletnieks at vt.edu wrote:
> > 1500 - 1599 kernel LSPP events
> > 1700 - 1799 kernel crypto events
> > 1800 - 1999 future kernel use (maybe integrity labels and related events)
>
> < and so on..>
>
> Am I the only one who thinks "100 entries will be enough" sounds
> suspiciously like "640K should be enough for anybody"?
I'm thinking it should be enough unless vendors want to clip their programs
into the audit system and start inventing their own numbers.
> Do we either have a way to guarantee that it will be enough (go with
> pseudo-fractional entries a la '1701 subtype 1, 2, 3, 1702 subtype 1..8,
> 1703 subtype 1..934, etc', or a way to expand it, keeping in mind
> forward/backward combatibility issues)?
Well, we could easily continue the same kind of messages in another block. So
far, we've only consumed < 20 message types on any block. I really can't see
a 100 different kinds of LSPP kernel message types.
-Steve
More information about the Linux-audit
mailing list