On Wednesday 27 August 2008 12:04:26 Matt Anderson wrote: > On Tue, Aug 26, 2008 at 04:08:35PM -0400, Steve Grubb wrote: > > On Tuesday 26 August 2008 15:55:51 Stephen Smalley wrote: > > > So if you want the code to work with either, you'd directly > > > read /proc/pid/attr/current and display the resulting string. ??If you > > > want to be SELinux-specific and include functionality like MLS label > > > translation, you'd use getpidcon(3). > > > > Thanks, that's very helpful. I think we want the raw data and then do > > context translations later in the parsing library if someone asks for it. > > Can we be sure the delayed translation will be correct?
I don't plan to add translations any time soon. We also don't have time to do a translation while logging. So, we will just have raw data for a while. > It seems to me that by then the policy or the translation could have changed > and although you may have an audit of that event you wouldn't necessarily be > able to reconstruct the context that should appear in the log. True and something that will need to be worked around. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
