Alexander Viro wrote: [Tue Mar 13 2007, 03:39:09PM EDT] > On Tue, Mar 13, 2007 at 03:00:46PM -0400, Amy Griffis wrote: > > > + if (sid) > > > + selinux_sid_to_string(sid, &context->obj_ctx, &len); > > > +} > > > > Why did you choose to do the sid to string conversion at collection > > time, rather than waiting for audit_log_exit? > > Narrower window for sid_to_context to change...
Okay, I hadn't thought of that. But is it really more of a problem for processes than for ipc or inodes? It's true that processes can change their context, but that would change the sid, and we've already collected that data. The sid-to-context-string mapping will only change on policy load. I see the argument for narrowing the window, but I'd like to see audit pick one way and stick to it. Amy -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
