Re: [redhat-lspp] Re: [PATCH] change lspp inode auditing
On Thu, 2006-03-30 at 09:21 -0600, Serge E. Hallyn wrote:
> However, that does bring up a separate issue beyond the
inability to
> allocate the context; the SID may be invalidated by a policy load, at
That was what I was addressing.
> which point you'll get back the unlabeled context upon subsequent
> attempts to map it to a context. Hence, if you have a policy reload
You couldn't end up with a completely wrong context this way?
No, at policy reload time, the SID table is remapped, with each context
either re-translated to the new representation or dropped entirely if
invalid. In the latter case, later lookups will return the unlabeled
SID's context instead.
--
Stephen Smalley
National Security Agency