From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amy Griffis Subject: Re: audit-ptrace patch (untested) Date: Wed, 14 Mar 2007 11:57:00 -0400 Message-ID: <20070314155700.GA27762@fc.hp.com> References: <20070305145025.GC19390@devserv.devel.redhat.com> <1173192374.15967.115.camel@moss-spartans.epoch.ncsc.mil> <20070307031308.GA12417@devserv.devel.redhat.com> <1173271948.2050.17.camel@moss-spartans.epoch.ncsc.mil> <20070312122055.GC12417@devserv.devel.redhat.com> <20070313190046.GA18105@fc.hp.com> <20070313193909.GH12417@devserv.devel.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Content-Disposition: inline In-Reply-To: <20070313193909.GH12417@devserv.devel.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Alexander Viro Cc: Eric Paris , linux-audit@redhat.com, James Morris List-Id: linux-audit@redhat.com Alexander Viro wrote: [Tue Mar 13 2007, 03:39:09PM EDT] > On Tue, Mar 13, 2007 at 03:00:46PM -0400, Amy Griffis wrote: > > > + if (sid) > > > + selinux_sid_to_string(sid, &context->obj_ctx, &len); > > > +} > > > > Why did you choose to do the sid to string conversion at collection > > time, rather than waiting for audit_log_exit? > > Narrower window for sid_to_context to change... Okay, I hadn't thought of that. But is it really more of a problem for processes than for ipc or inodes? It's true that processes can change their context, but that would change the sid, and we've already collected that data. The sid-to-context-string mapping will only change on policy load. I see the argument for narrowing the window, but I'd like to see audit pick one way and stick to it. Amy