[redhat-lspp] Re: [PATCH] change lspp inode auditing
Steve Grubb
sgrubb at redhat.com
Thu Mar 30 14:22:41 UTC 2006
On Thursday 30 March 2006 08:24, Stephen Smalley wrote:
> > In that case, the patch writes out the sid number. Given a sid, is there
> > a way to find it in the policy on disk? If not, that might be useful to
> > have.
>
> SIDs aren't persistent identifiers.
Do 2 back to back loads of the same policy produce the same sids?
> > If we record the sid number, do we really need to call audit_panic?
>
> See above. The SID is useless for off-line analysis, and you'd have to
> inspect kernel memory to even map it to a context - kernel SIDs aren't
> exported to userspace. Again, by design.
I have a feeling that we may need to close the loop somehow. I really don't
anticipate this being a normal condition at all. But just in case...
-Steve
More information about the Linux-audit
mailing list