Stephen Smalley wrote:
> I'd rather do this the same way as compute_sid_handle_invalid_context(),
> i.e. generate the context strings up front using
> context_struct_to_string() after looking up the SIDs, use
> policydb.p_class_val_to_name[tclass-1] to lookup the class name, and
> perform a single audit_log() call.  Since you are already within the
> security server at this point, you don't have to do it in the same
> manner as the AVC.  And you already log error messages on any invalid
> SIDs or classes (in which case you aren't going to be able to look them
> up anyway).  So I think you just want to call a similar helper as
> compute_sid_handle_invalid_context() in the case where
> constraint_expr_eval() fails.
> 

Yeah, I really could have made this nicer when I moved the functionality into 
security_validate_transition (I originally had it another function which was 
called after security_validate_transition)...  How about the attached patch instead.

-- 

Darrel