[PATCH 1/2] SELinux Context Label based audit filtering
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 3 15:32:54 UTC 2006
On Fri, 2006-02-03 at 10:20 -0500, Steve Grubb wrote:
> On Friday 03 February 2006 10:20, Stephen Smalley wrote:
> > So is the above filter supposed to be applied to just the terminal
> > component or all of them?
>
> I would expect it to be the object that is actually opened rather than any
> intermediate path components.
Hmm..well, audit system harvests the information for the inodes as the
lookup proceeds, so it ends up with the information for all of them.
And the last one might not even be the terminal component of the
specified path; it may just be the last one before it hit some error
(like a search denial on a directory component).
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list