Re: [PATCH 1/2] SELinux Context Label based audit filtering
Stephen Smalley wrote: [Fri Feb 03 2006, 10:32:54AM EST]
On Fri, 2006-02-03 at 10:20 -0500, Steve Grubb wrote:
> On Friday 03 February 2006 10:20, Stephen Smalley wrote:
> > So is the above filter supposed to be applied to just the terminal
> > component or all of them?
>
> I would expect it to be the object that is actually opened rather than any
> intermediate path components.
Hmm..well, audit system harvests the information for the inodes as the
lookup proceeds, so it ends up with the information for all of them.
That may be how the audit system used to work, but it doesn't work
quite like that anymore.
Audit typically collects information about the inode which is the
terminal component of the specified path. If the operation involves
adding or removing objects from a directory, information about the
relevant dentry parent inodes is also collected.
At most, audit would collect information about:
1) source inode
2) source inode's parent
3) target inode
4) target inode's parent
And the last one might not even be the terminal component of the
specified path; it may just be the last one before it hit some error
(like a search denial on a directory component).
In the unsuccessful case, the source or target inode may not be
collected, and the parent inode may be indicated as the last path
component accessed, as you said.
Hope this helps,
Amy