On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote:
> > I assume we do NOT want to use this variant interface when getting
> > contexts to display in audit messages, as we want the audit messages to
> > correspond to the actual denial and to yield proper policy if turned
> > into an allow rule.
>
> Is there any way we could get them both displayed if there is a
> denial? Might be interesting to know both that the denial was
> actually unlabeled_t object but also what the 'incorrect' label
> was.....
Easy to do kernel-side, but requires a new avc audit field that won't
cause any complaints by audit userland or tools like audit2allow.
Well, I'm not concerned about audit userland, if they can't handle
arbitrary users or the audit subsystem that's an audit failure. As to
audit2allow I'm clueless but I guess i could take a look if others
think it is an interesting piece of knowledge...
-Eric