[PATCH 1/2] SELinux Context Label based audit filtering
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 3 15:49:47 UTC 2006
On Fri, 2006-02-03 at 10:33 -0500, Stephen Smalley wrote:
> On Fri, 2006-02-03 at 10:20 -0500, Steve Grubb wrote:
> > On Friday 03 February 2006 10:20, Stephen Smalley wrote:
> > > So is the above filter supposed to be applied to just the terminal
> > > component or all of them?
> >
> > I would expect it to be the object that is actually opened rather than any
> > intermediate path components.
>
> Hmm..well, audit system harvests the information for the inodes as the
> lookup proceeds, so it ends up with the information for all of them.
> And the last one might not even be the terminal component of the
> specified path; it may just be the last one before it hit some error
> (like a search denial on a directory component).
also, you still need to distinguish between filters on process context
and filters on object context at the least.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list