Re: [PATCH] cleanups + fixes against audit.56

--- Steve Grubb <sgrubb(a)redhat.com&gt; wrote: The right thing to do is report the pathname and attributes of the component upon which the access control decision failed or ultimatly succeeded. Thus, for /a/b/c if the access was successful the audit record ought to always contain the path "/a/b/c" and the attributes of "c". If the access control failed on "b", the record needs to include "/a/b" and the attributes of "b" as well as an indication that what you were ultimatly after was "/a/b/c/", even though you never got there. If the access failed on "c" the record needs the path "/a/b/c" and the attributes of "c", just as in the success case. This can get hairy. On exec(), for example, the audit record may include the path of a directory, not a program file. You have to be ready for this in postprocessing. You never want the attributes of the directory on a successful access, this does not make sense and certainly fails the CAPP requirement. You only want the attributes of the directory if that is the object upon which access was denied. Casey Schaufler casey(a)schaufler-ca.com __________________________________ Discover Yahoo! Get on-the-go sports scores, stock quotes, news and more. Check it out! http://discover.yahoo.com/mobile.html