Re: Fwd: Re: Fw: Audit records for start/stop auditd

On Friday 08 April 2005 17:11, David Woodhouse wrote: I've never seen kernel 19 log the signal. We are going to have the exact same problem when we ad the code for LSPP. I'd like to have a solution lined up so we done face the same problem. When we start making the LSPP capable, we will need to record the SE Linux label for the user that sent the signal. What we could do is perform a switcheroo in the kernel. If a signal is permitted to be sent to the audit daemon, put the loginuid into the si_uid filed of siginfo_t. si_uid will always be 0, so why not overwrite it with something meaningful? Next question would be what field could we use for the SE Linux context? Otherwise, I think a SA_AUDITINFO sigaction flag would be cleanest. Basically, if we set that flag, it still uses the same function signature: void (*sa_sigaction)(int, siginfo_t *, void *); But we would use a different structure to access the contents of the siginfo_t pointer. As far as I know, we only need 3-4 fields, so its smaller than siginfo_t. -Steve