Re: [redhat-lspp] Re: [PATCH] change lspp inode auditing
On Wed, 2006-03-29 at 13:18 -0600, Serge E. Hallyn wrote:
Maybe this is a silly idea... but what about just somehow hashing
on
(sid,policy_version), where uint policy_version is incremented on each
selinux policy load?
The audit code would fill in an entry for au_ctx_hash(sid,policy_version),
if it isn't already filled in, when the context would previously have been
preallocated. But it stores (sid, policy_version) in the audit record,
and grabs the value from the table when it's time to actually log the
entry, i.e. where Steve's current patch fills in the string.
I guess whether this is worth it depends on how likely we are to lose
information with this current patch on a live system.
People seem to constantly forget that SIDs aren't persistent and that
kernel SIDs aren't exported to userspace. So it doesn't help much to
augment them with a policy version.
However, that does bring up a separate issue beyond the inability to
allocate the context; the SID may be invalidated by a policy load, at
which point you'll get back the unlabeled context upon subsequent
attempts to map it to a context. Hence, if you have a policy reload
between the time you collect the SID and the time you generate the
context, you could "lose" the actual context information. But I think
that is mostly a documentation/procedural issue - don't ever remove
labels from the policy upon policy updates.
--
Stephen Smalley
National Security Agency