Re: Getting the program name in audit messages
On Fri, 2005-04-01 at 14:36 +0100, David Woodhouse wrote:
Setting the auditable flag is only going to cause audit_log_exit() to
be
called on syscall exit _if_ audit_syscall_exit() is actually called.
That's often in the slow path of the syscall return, and triggered only
if something like TIF_SYSCALL_AUDIT is set in the thread_info flags.
Sorry, do you have an example of where this would be a problem?
Also, the only truly required information in avc_audit is the relevant
security contexts, security class, and permission(s); everything else is
just supplemental data to help track down the causes of policy denials.
I always expected that the audit framework would ultimately take over
handling of such supplemental data for SELinux, leaving it to only deal
with the MAC-specific information.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency