From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matt Anderson Subject: Re: [PATCH]Fix me add subj Date: Wed, 27 Aug 2008 10:04:26 -0600 Message-ID: <20080827160426.GA10066@ldl.fc.hp.com> References: <006001c90119$cb3a5e20$958da70a@truly> <200808261534.44590.sgrubb@redhat.com> <1219780551.2721.261.camel@moss-spartans.epoch.ncsc.mil> <200808261608.36217.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <200808261608.36217.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: 'linux-audit' List-Id: linux-audit@redhat.com On Tue, Aug 26, 2008 at 04:08:35PM -0400, Steve Grubb wrote: > On Tuesday 26 August 2008 15:55:51 Stephen Smalley wrote: > > So if you want the code to work with either, you'd directly > > read /proc/pid/attr/current and display the resulting string. ??If you > > want to be SELinux-specific and include functionality like MLS label > > translation, you'd use getpidcon(3). > > Thanks, that's very helpful. I think we want the raw data and then do context > translations later in the parsing library if someone asks for it. Can we be sure the delayed translation will be correct? Maybe I'm misinterpreting you, but it sounds like your saying that the context would only be resolved when a user was scanning the audit log. It seems to me that by then the policy or the translation could have changed and although you may have an audit of that event you wouldn't necessarily be able to reconstruct the context that should appear in the log. -matt