Re: [PATCH 1/2] SELinux Context Label based audit filtering

On Fri, 2006-02-03 at 10:20 -0500, Steve Grubb wrote: > On Friday 03 February 2006 10:20, Stephen Smalley wrote: > > So is the above filter supposed to be applied to just the terminal > > component or all of them? > > I would expect it to be the object that is actually opened rather than any > intermediate path components. Hmm..well, audit system harvests the information for the inodes as the lookup proceeds, so it ends up with the information for all of them. And the last one might not even be the terminal component of the specified path; it may just be the last one before it hit some error (like a search denial on a directory component).