On Tuesday 16 June 2009 10:26:46 am Eric Paris wrote:
> On Tue, 2009-06-16 at 09:43 +0900, KaiGai Kohei wrote:
> > Stephen Smalley wrote:
> >
> > For example, how do you feel the example on security_compute_av() time?
> >
> > type=SELINUX_INFO msg=audit(1245046106.725:65): \
> > op=security_compute_av masked=bounds \
> > scontext=system_u:system_r:user_webapp_t:s0 \
> > tcontext=system_u:object_r:httpd_sys_content_t:s0 \
> > tclass=file { setattr write }
>
> I feel good for all but the { setattr write }
>
> It's a new message, we have no parsers which need the old format, how
> would others feel about
>
> perm="setattr,write" ?
I'd recommend losing the quotes. I think you are doing this because of
untrusted_string, but I doubt the user can influence this.
But I am also wondering if SELINUX_INFO is the most descriptive type name for
what the record really means? Does this also result in a syscall record if
audit is enabled?
-Steve
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
