[PATCH 3rd revision] Add SELinux context support to AUDIT target

Mr Dash Four mr.dash.four at googlemail.com
Wed Jun 8 18:04:04 UTC 2011 

> It doesn't matter if its private. If its important enough to log to the audit system, 
> we can't let something like this slide.
>   
Oh, yes it does! For you may be it doesn't, but that doesn't necessarily 
mean that applies to everyone else.

>>> Besides, this numerical representation isn't reliable - these numbers
>>> are dynamic and can change - another reason why they should not be
>>> allowed to be present in the audit log. 
>>>       
>
> Doesn't matter.
Oh, yes it does! If you are content or used to putting heaps of useless 
and meaningless "data" in the audit logs (and lets be frank, that is 
what this number is to the admins or other people who will be looking at 
those logs), then you may wish to submit another patch to the 
netfilter-dev list for review with whatever takes your fancy in it, and 
see how far does that take you!

I won't be doing that as I am not at all convinced that the number you 
are asking me to add is anything more than a piece of useless junk!

>  Its the event that we want and all its attributes. If the label is not 
> correct, how else are we going to know?
This isn't a label! It is, for all intents and purposes, a random number 
which may have been used to point to something.

How many times would you like me, or other people on this list, to 
repeat that until there is a remote chance that you will finally get it?

>>> What happens if I make changes to my security policy and then run
>>> ausearch/aureport? 
>>>       
>
> Nothing.
>   
Absolute rubbish and what's worse is that you know it!

>>> I am either going to see different (wrong!) context reported if ausearch/aureport
>>> attempts to "convert" those numbers into SELinux context, or, I am
>>> going to see meaningless numbers. Either way, useless or misleading
>>> information is going to be reported and we don't want that, do we?
>>>       
>
> Yes, we do.
>   
You do what?! Put a complete rubbish in the audit logs? May be you do, 
but I don't.

Again, I am not contributing to something which places misleading and/or 
useless information in the audit logs. It is not desired and unless I am 
convinced otherwise, there is little chance of me altering my patch, so 
it stays as I originally submitted it.

More information about the Linux-audit mailing list