Re: [redhat-lspp] Re: [PATCH] change lspp inode auditing
On Thursday 30 March 2006 08:24, Stephen Smalley wrote:
> In that case, the patch writes out the sid number. Given a sid,
is there
> a way to find it in the policy on disk? If not, that might be useful to
> have.
SIDs aren't persistent identifiers.
Do 2 back to back loads of the same policy produce the same sids?
> If we record the sid number, do we really need to call
audit_panic?
See above. The SID is useless for off-line analysis, and you'd have to
inspect kernel memory to even map it to a context - kernel SIDs aren't
exported to userspace. Again, by design.
I have a feeling that we may need to close the loop somehow. I really don't
anticipate this being a normal condition at all. But just in case...
-Steve