Steve Grubb wrote: > On Wednesday 20 September 2006 15:12, Stephen Smalley wrote: > >>SELinux userland code isn't supposed to assume any fixed max. >>libselinux does use an initial buffer size as a starting point when >>calling e.g. getxattr, but will resize the buffer to a larger size if >>necessary. > > I try very hard to not have any memory allocations in the audit system to > prevent and possible failure due to fragmentation or leaks. I need to cap the > buffer size at something to meet this design goal. >
If this buffer limitation results in the loss or partial-loss of an audit record is there some notification sent? This seems like an excellent way for an individual to obscure their actions on a system. -- paul moore linux security @ hp -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
