Quoting Eric Paris ([EMAIL PROTECTED]): > On Mon, 2008-10-20 at 11:31 -0500, Serge E. Hallyn wrote: > > Quoting Eric Paris ([EMAIL PROTECTED]): > > > type=SYSCALL msg=audit(1224342849.465:43): arch=c000003e syscall=59 > > > success=yes exit=0 a0=25b6a00 a1=2580410 a2=2580140 a3=8 items=2 > > > ppid=2219 pid=2266 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > fsgid=0 tty=pts0 ses=1 comm="ping" exe="/bin/ping" > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > type=EXECVE msg=audit(1224342849.465:43): argc=2 a0="ping" a1="127.0.0.1" > > > type=CWD msg=audit(1224342849.465:43): cwd="/root" > > > type=PATH msg=audit(1224342849.465:43): item=0 name="/bin/ping" > > > inode=49227 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > obj=system_u:object_r:ping_exec_t:s0 cap_permitted=0000000000002000 > > > cap_inheritable=0000000000000000 > > > type=PATH msg=audit(1224342849.465:43): item=1 name=(null) inode=507963 > > > dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > obj=system_u:object_r:ld_so_t:s0 > > > > > > This good? If either cap_permitted or cap_inheritable have anything set > > > I show them both. In the above example would you rather I only showed > > > cap_permitted and dropped cap_inheritable? Did I see correctly that > > > > I think dropping the empty one is fine. > > > > Steve's suggestion of cap_prm and cap_inh are good for being shorter and > > matching proc output. But OTOH it's a bit confusing as at first I > > thought these were the task's values. Would it be too terse to just > > use fP and fI? > > yes, too terse. How about cap_fP, cap_fI, cap_fVer, cap_fEffBit ?
Well it's a PATH record type so it should be obvious that these are file caps, so better to stick with Steve's suggestions, right? > Based on your other comments I'm going to go add fVer and fEffBit. cap_ver and cap_legacy? I can't explain it, but fEffBit makes me think of Twiki... thanks, -serge -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
