On Thu, 2005-04-14 at 13:35 -0700, Steve G wrote: I didn't see the original posting, but the security_getprocattr (-> selinux_getprocattr) and security_inode_getsecurity (-> selinux_inode_getsecurity) hooks copy security contexts into buffers supplied by the caller. That is what I was referring to. The pathname lookup code would need to be modified to invoke security_inode_getsecurity(), possibly from audit_inode() by passing the inode structure to it, and copy the context into the auxiliary item list on the current audit context for display upon audit_log_exit. And audit_log_exit could be modified to call security_getprocattr to get the current process context and display it. I don't believe anyone has done that yet. There has been a patch to log the exe and comm information for the current task upon audit_log_exit, but that is different. -- Stephen Smalley <sds(a)tycho.nsa.gov&gt; National Security Agency