From: "Eric Paris" <eparis@parisplace.org>
To: Stephen Smalley <sds@tycho.nsa.gov>, linux-audit@redhat.com
Cc: James Morris <jmorris@namei.org>, selinux@tycho.nsa.gov
Subject: Re: [PATCH v4] selinux: support deferred mapping of contexts
Date: Wed, 7 May 2008 11:29:36 -0400 [thread overview]
Message-ID: <7e0fb38c0805070829q1bda9233h1f71865634776e71@mail.gmail.com> (raw)
In-Reply-To: <1210173806.6434.84.camel@moss-spartans.epoch.ncsc.mil>
On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>
> On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote:
> > > I assume we do NOT want to use this variant interface when getting
> > > contexts to display in audit messages, as we want the audit messages to
> > > correspond to the actual denial and to yield proper policy if turned
> > > into an allow rule.
> >
> > Is there any way we could get them both displayed if there is a
> > denial? Might be interesting to know both that the denial was
> > actually unlabeled_t object but also what the 'incorrect' label
> > was.....
>
> Easy to do kernel-side, but requires a new avc audit field that won't
> cause any complaints by audit userland or tools like audit2allow.
Well, I'm not concerned about audit userland, if they can't handle
arbitrary users or the audit subsystem that's an audit failure. As to
audit2allow I'm clueless but I guess i could take a look if others
think it is an interesting piece of knowledge...
-Eric
next parent reply other threads:[~2008-05-07 15:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1210002195.25678.678.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <Xine.LNX.4.64.0805060930520.17367@us.intercode.com.au>
[not found] ` <1210088427.25678.771.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <1210105048.25678.799.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <Xine.LNX.4.64.0805070830480.20128@us.intercode.com.au>
[not found] ` <1210164325.6434.22.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <7e0fb38c0805070817h72ac3ce7k24dc38b7eaf0ec24@mail.gmail.com>
[not found] ` <1210173806.6434.84.camel@moss-spartans.epoch.ncsc.mil>
2008-05-07 15:29 ` Eric Paris [this message]
2008-05-07 16:48 ` [PATCH v4] selinux: support deferred mapping of contexts Steve Grubb
2008-05-07 17:20 ` Stephen Smalley
2008-05-07 18:45 ` Steve Grubb
2008-05-08 15:10 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e0fb38c0805070829q1bda9233h1f71865634776e71@mail.gmail.com \
--to=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox