Re: [redhat-lspp] role based audit filtering
On Tue, 6 Dec 2005, Dustin Kirkland wrote:
- I would expect to be crucified if I attempted to do strcmp() or
strstr() string comparisons/matches in the kernel at the oft-called
filters, so I'm really hoping to keep this to integer comparisons. For
that, I think I might need an api into SELinux to get some sort of
integer looking value to compare. Am I approaching this correctly?
This all seems pretty ugly.
Internally, SELinux uses SIDs (integers) which can be translated to
securirty contexts (strings), from which you can extract the role.
Let's say you then keep a mapping of SIDs to roles (with roles, translated
to your own integer representation), you'd get an expensive hit the first
time this had to be determined, but then it could be reasonably cheap.
We'd also need to handle policy change, probably generating an event (the
infrastructure for this exists already in SELinux) which flushes your
SID/role mappings.
- James
--
James Morris
<jmorris(a)redhat.com>