On Fri, 2006-02-03 at 16:14 -0500, Stephen Smalley wrote:
Carrying the SIDs gives you the option of passing them to SELinux so
that it can immediately look up the context structure and perform
comparisons, extract values, etc w/o needing to re-parse the context
string. But you may still need to carry the context strings to avoid
allocation failures at the end when it is too late to abort the
operation.
Gotcha. I'll continue carrying the context strings to avoid eventual
allocation failures for the time being.
Given that we need to precompute a MLS context struct when the audit
filter rule is inserted anyway (so that we can later do efficient
comparisons of MLS levels), we might want to do this for all of the
fields, eliminating string comparisons entirely at audit filter
evaluation time. See my description of the step-by-step approach for
the MLS case in my earlier response to Steve.
Ok, I'm going to work though your 9-step program early next week.
Possibly, but that doesn't create a larger pool of people who
can
contribute in the future to the project...
Understood. Investment in the future ;)
:-Dustin