On Thu, Aug 13, 2020 at 5:41 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > An explanation here of how one might go about decoding audited and > tclass would be helpful to users (even better would be a script to do it > for them). Again, I know how to do that but not everyone using > perf/ftrace will. What about something along those lines: The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class.
