[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Sep 27 23:02:00 UTC 2005
On Tue, 27 Sep 2005 15:23:39 EDT, Steve Grubb said:
> On Tuesday 27 September 2005 01:57, Valdis.Kletnieks at vt.edu wrote:
> > > 1500 - 1599 kernel LSPP events
> > > 1700 - 1799 kernel crypto events
> > > 1800 - 1999 future kernel use (maybe integrity labels and related events)
> >
> > < and so on..>
> >
> > Am I the only one who thinks "100 entries will be enough" sounds
> > suspiciously like "640K should be enough for anybody"?
>
> I'm thinking it should be enough unless vendors want to clip their programs
> into the audit system and start inventing their own numbers.
That's basically what I was worried about.
> Well, we could easily continue the same kind of messages in another block. So
> far, we've only consumed < 20 message types on any block. I really can't see
> a 100 different kinds of LSPP kernel message types.
That's just waiting for a bug report when somebody's software doesn't play nice
with "2100..2199,2700..2799" type ranges. Agreed the kernel probably won't need
a lot more, but we might want to make sure we have bigger ranges available for
userspace. Maybe make each userspace range 1K wide rather than 100? (Yes,
I know that's just putting the Y2K problem off to 2038 ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050927/13f36f9b/attachment.sig>
More information about the Linux-audit
mailing list