From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH]Fix me add subj
Date: Tue, 26 Aug 2008 16:08:35 -0400
Message-ID: <200808261608.36217.sgrubb@redhat.com>
References: <006001c90119$cb3a5e20$958da70a@truly>
	<200808261534.44590.sgrubb@redhat.com>
	<1219780551.2721.261.camel@moss-spartans.epoch.ncsc.mil>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1219780551.2721.261.camel@moss-spartans.epoch.ncsc.mil>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: 'linux-audit' <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday 26 August 2008 15:55:51 Stephen Smalley wrote:
> On Tue, 2008-08-26 at 15:34 -0400, Steve Grubb wrote:
> > On Monday 18 August 2008 06:04:25 Chu Li wrote:
> > > =C2=A0 I have made a patch for "Fixme add subj" in auditd.c. This i=
s for the
> > > latest codes.
> >
> > Now that the audit svn is open for new work...I started to apply this
> > patch. But then I got to thinking about SMACK. It probably does not l=
ike
> > us to get selinux labels. I was wondering if we need to try to get it=
s
> > label, too? And I was wondering if both SE Linux and SMACK could be
> > running at the same time? If they can, do we collect both labels?
>
> They are exclusive of one another, and they both provide the process
> label via /proc/pid/attr/current. =C2=A0libselinux wraps that kernel
> interface with getcon() (for current context) and getpidcon() (for
> context of a given pid), which internally handle the allocation of the
> buffer and will deal with label translation if using mcstransd.
>
> So if you want the code to work with either, you'd directly
> read /proc/pid/attr/current and display the resulting string. =C2=A0If =
you
> want to be SELinux-specific and include functionality like MLS label
> translation, you'd use getpidcon(3).

Thanks, that's very helpful. I think we want the raw data and then do con=
text=20
translations later in the parsing library if someone asks for it.

-Steve