On Mon, 2008-10-20 at 06:56 -0400, Steve Grubb wrote:
On Saturday 18 October 2008 11:23:12 Eric Paris wrote:
> type=PATH msg=audit(1224342849.465:43): item=0 name="/bin/ping"
inode=49227
> dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:ping_exec_t:s0 cap_permitted=0000000000002000
> cap_inheritable=0000000000000000
The kernel abbreviates these as: capprm & capinh in the proc file system. I'm
thinking shorter names would save some disk space.
> This good? If either cap_permitted or cap_inheritable have anything set
> I show them both.
And they are otherwise missing to save disk space?
Yes, see the example :)
> In the above example would you rather I only showed
> cap_permitted and dropped cap_inheritable?
No. Its my understanding that apps could have something inheritable by
children and we'd want to know exactly what that was.
Notice this record is only about the perms on the file. My question was
that in the above example I have a capprm set on the file but I do not
have a capinh set on the file. To save space would you rather I only
showed the capprm or should I show the 0 capinh as well? The opposite
would also be true, if I had capinh set on a file but didn't have capprm
set should I display only the capinh or display both capinh and a blank
capprm?