Re: [RFC][PATCH] selinux: Report result in avc messages

On Tue, 2014-04-29 at 16:54 -0700, Stephen Smalley wrote: > Requested for Android in order to distinguish denials that are not in > fact breaking anything yet due to permissive domains versus denials > that are being enforced, but seems generally useful. result field was > already in the selinux audit data structure and was being passed to > avc_audit() but wasn't being used. Seems to cause no harm to ausearch > or audit2allow to add it as a field. Comments? I think it's a great idea, but I'm worried that Steve is going to get grumpy because an AVC record is going to have a result= field which is similar, but not necessarily related to the res= field of a SYSCALL record. Seems easily confused (although probably 9999 times out of 10000 they will be the same) So while I wholeheartedly think we should take the idea, I wonder if someone can dream up a name that isn't confusingly similar... I can't think of anything... -Eric -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit