On Fri, Aug 14, 2020 at 9:05 AM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > > On Thu, Aug 13, 2020 at 5:41 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > An explanation here of how one might go about decoding audited and > > tclass would be helpful to users (even better would be a script to do it > > for them). Again, I know how to do that but not everyone using > > perf/ftrace will. > > What about something along those lines: > > The tclass value can be mapped to a class by searching > security/selinux/flask.h. The audited value is a bit field of the > permissions described in security/selinux/av_permissions.h for the > corresponding class. Sure, I guess that works. Would be nice if we just included the class and permission name(s) in the event itself but I guess you viewed that as too heavyweight?
