SELinux Context Label based audit filtering
Stephen Smalley
sds at tycho.nsa.gov
Mon Feb 6 13:34:30 UTC 2006
On Fri, 2006-02-03 at 16:34 -0600, Dustin Kirkland wrote:
> On Fri, 2006-02-03 at 16:14 -0500, Stephen Smalley wrote:
> > Carrying the SIDs gives you the option of passing them to SELinux so
> > that it can immediately look up the context structure and perform
> > comparisons, extract values, etc w/o needing to re-parse the context
> > string. But you may still need to carry the context strings to avoid
> > allocation failures at the end when it is too late to abort the
> > operation.
>
> Gotcha. I'll continue carrying the context strings to avoid eventual
> allocation failures for the time being.
The other option of course is to just accept that we might fail on that
allocation (as there are other potential failure cases at the same
point), log what we can (e.g. the SIDs), and call audit_panic. That
saves us the overhead of always allocating and generating those context
strings when we don't need them.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list