On Tuesday 26 August 2008 15:55:51 Stephen Smalley wrote: > On Tue, 2008-08-26 at 15:34 -0400, Steve Grubb wrote: > > On Monday 18 August 2008 06:04:25 Chu Li wrote: > > > I have made a patch for "Fixme add subj" in auditd.c. This is for the > > > latest codes. > > > > Now that the audit svn is open for new work...I started to apply this > > patch. But then I got to thinking about SMACK. It probably does not like > > us to get selinux labels. I was wondering if we need to try to get its > > label, too? And I was wondering if both SE Linux and SMACK could be > > running at the same time? If they can, do we collect both labels? > > They are exclusive of one another, and they both provide the process > label via /proc/pid/attr/current. libselinux wraps that kernel > interface with getcon() (for current context) and getpidcon() (for > context of a given pid), which internally handle the allocation of the > buffer and will deal with label translation if using mcstransd. > > So if you want the code to work with either, you'd directly > read /proc/pid/attr/current and display the resulting string. If you > want to be SELinux-specific and include functionality like MLS label > translation, you'd use getpidcon(3).
Thanks, that's very helpful. I think we want the raw data and then do context translations later in the parsing library if someone asks for it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
