[PATCH]Fix me add subj
Steve Grubb
sgrubb at redhat.com
Wed Aug 27 16:53:32 UTC 2008
On Wednesday 27 August 2008 12:04:26 Matt Anderson wrote:
> On Tue, Aug 26, 2008 at 04:08:35PM -0400, Steve Grubb wrote:
> > On Tuesday 26 August 2008 15:55:51 Stephen Smalley wrote:
> > > So if you want the code to work with either, you'd directly
> > > read /proc/pid/attr/current and display the resulting string. ??If you
> > > want to be SELinux-specific and include functionality like MLS label
> > > translation, you'd use getpidcon(3).
> >
> > Thanks, that's very helpful. I think we want the raw data and then do
> > context translations later in the parsing library if someone asks for it.
>
> Can we be sure the delayed translation will be correct?
I don't plan to add translations any time soon. We also don't have time to do
a translation while logging. So, we will just have raw data for a while.
> It seems to me that by then the policy or the translation could have changed
> and although you may have an audit of that event you wouldn't necessarily be
> able to reconstruct the context that should appear in the log.
True and something that will need to be worked around.
-Steve
More information about the Linux-audit
mailing list