On Tue, Aug 26, 2008 at 04:08:35PM -0400, Steve Grubb wrote:
On Tuesday 26 August 2008 15:55:51 Stephen Smalley wrote:
> So if you want the code to work with either, you'd directly
> read /proc/pid/attr/current and display the resulting string. ??If you
> want to be SELinux-specific and include functionality like MLS label
> translation, you'd use getpidcon(3).
Thanks, that's very helpful. I think we want the raw data and then do context
translations later in the parsing library if someone asks for it.
Can we be sure the delayed translation will be correct? Maybe I'm
misinterpreting you, but it sounds like your saying that the context
would only be resolved when a user was scanning the audit log. It seems
to me that by then the policy or the translation could have changed and
although you may have an audit of that event you wouldn't necessarily be
able to reconstruct the context that should appear in the log.
-matt