Preferred subj= with multiple LSMs
Paul Moore
paul at paul-moore.com
Tue Jul 16 23:13:54 UTC 2019
On Tue, Jul 16, 2019 at 6:18 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> It sounds as if some variant of the Hideous format:
>
> subj=selinux='a:b:c:d',apparmor='z'
> subj=selinux/a:b:c:d/apparmor/z
> subj=(selinux)a:b:c:d/(apparmor)z
>
> would meet Steve's searchability requirements, but with significant
> parsing performance penalties.
I think "hideous format" sums it up nicely. Whatever we choose here
we are likely going to be stuck with for some time and I'm near to
100% that multiplexing the labels onto a single field is going to be a
disaster.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list