Quoting Eric Paris (eparis(a)redhat.com):
On Mon, 2008-10-20 at 11:31 -0500, Serge E. Hallyn wrote:
> Quoting Eric Paris (eparis(a)redhat.com):
> > type=SYSCALL msg=audit(1224342849.465:43): arch=c000003e syscall=59 success=yes
exit=0 a0=25b6a00 a1=2580410 a2=2580140 a3=8 items=2 ppid=2219 pid=2266 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ping"
exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
> > type=EXECVE msg=audit(1224342849.465:43): argc=2 a0="ping"
a1="127.0.0.1"
> > type=CWD msg=audit(1224342849.465:43): cwd="/root"
> > type=PATH msg=audit(1224342849.465:43): item=0 name="/bin/ping"
inode=49227 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ping_exec_t:s0 cap_permitted=0000000000002000
cap_inheritable=0000000000000000
> > type=PATH msg=audit(1224342849.465:43): item=1 name=(null) inode=507963
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> >
> > This good? If either cap_permitted or cap_inheritable have anything set
> > I show them both. In the above example would you rather I only showed
> > cap_permitted and dropped cap_inheritable? Did I see correctly that
>
> I think dropping the empty one is fine.
>
> Steve's suggestion of cap_prm and cap_inh are good for being shorter and
> matching proc output. But OTOH it's a bit confusing as at first I
> thought these were the task's values. Would it be too terse to just
> use fP and fI?
yes, too terse. How about cap_fP, cap_fI, cap_fVer, cap_fEffBit ?
Well it's a PATH record type so it should be obvious that these are file
caps, so better to stick with Steve's suggestions, right?
Based on your other comments I'm going to go add fVer and
fEffBit.
cap_ver and cap_legacy?
I can't explain it, but fEffBit makes me think of Twiki...
thanks,
-serge