[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext

On Tuesday 27 September 2005 01:57, Valdis Kletnieks vt edu wrote:
> > 1500 - 1599 kernel LSPP events
> > 1700 - 1799 kernel crypto events
> > 1800 - 1999 future kernel use (maybe integrity labels and related events)
> < and so on..>
> Am I the only one who thinks "100 entries will be enough" sounds
> suspiciously like "640K should be enough for anybody"?

I'm thinking it should be enough unless vendors want to clip their programs 
into the audit system and start inventing their own numbers.

> Do we either have a way to guarantee that it will be enough (go with
> pseudo-fractional entries a la '1701 subtype 1, 2, 3, 1702 subtype 1..8,
> 1703 subtype 1..934, etc', or a way to expand it, keeping in mind
> forward/backward combatibility issues)?

Well, we could easily continue the same kind of messages in another block. So 
far, we've only consumed < 20 message types on any block. I really can't see 
a 100 different kinds of LSPP kernel message types.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]