On Mon, 2007-11-05 at 16:28 -0500, Dean Anderson wrote: > On Wed, 31 Oct 2007, Stephen Smalley wrote: > > > > Not a full pathname, no. > > > > We don't have enough information at the point where we do our permission > > checks to reconstruct a pathname, > > ?? These checks are in open or exec. The full pathname should be > available. Not where we do the check, no. The audit system though can collect the component names as the lookup occurs, and emit the name at syscall exit. > > and such a pathname will always be process-local and not guaranteed to > > be meaningful, stable, or the actual path by which the file was > > accessed. > > ?? The filesystem is not process local, except perhaps /proc The view that a process has of the filesystem can be tailored on a per-process basis in Linux; a given pathname is only meaningful relative to a particular namespace. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
