From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH]Fix me add subj Date: Wed, 27 Aug 2008 12:53:32 -0400 Message-ID: <200808271253.33122.sgrubb@redhat.com> References: <006001c90119$cb3a5e20$958da70a@truly> <200808261608.36217.sgrubb@redhat.com> <20080827160426.GA10066@ldl.fc.hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20080827160426.GA10066@ldl.fc.hp.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Matt Anderson Cc: 'linux-audit' List-Id: linux-audit@redhat.com On Wednesday 27 August 2008 12:04:26 Matt Anderson wrote: > On Tue, Aug 26, 2008 at 04:08:35PM -0400, Steve Grubb wrote: > > On Tuesday 26 August 2008 15:55:51 Stephen Smalley wrote: > > > So if you want the code to work with either, you'd directly > > > read /proc/pid/attr/current and display the resulting string. ??If you > > > want to be SELinux-specific and include functionality like MLS label > > > translation, you'd use getpidcon(3). > > > > Thanks, that's very helpful. I think we want the raw data and then do > > context translations later in the parsing library if someone asks for it. > > Can we be sure the delayed translation will be correct? I don't plan to add translations any time soon. We also don't have time to do a translation while logging. So, we will just have raw data for a while. > It seems to me that by then the policy or the translation could have changed > and although you may have an audit of that event you wouldn't necessarily be > able to reconstruct the context that should appear in the log. True and something that will need to be worked around. -Steve