[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux Context Label based audit filtering

On Fri, 2006-02-03 at 16:14 -0500, Stephen Smalley wrote:
> Carrying the SIDs gives you the option of passing them to SELinux so
> that it can immediately look up the context structure and perform
> comparisons, extract values, etc w/o needing to re-parse the context
> string.  But you may still need to carry the context strings to avoid
> allocation failures at the end when it is too late to abort the
> operation.

Gotcha.  I'll continue carrying the context strings to avoid eventual
allocation failures for the time being.

> Given that we need to precompute a MLS context struct when the audit
> filter rule is inserted anyway (so that we can later do efficient
> comparisons of MLS levels), we might want to do this for all of the
> fields, eliminating string comparisons entirely at audit filter
> evaluation time.  See my description of the step-by-step approach for
> the MLS case in my earlier response to Steve.

Ok, I'm going to work though your 9-step program early next week.

> Possibly, but that doesn't create a larger pool of people who can
> contribute in the future to the project...

Understood.  Investment in the future ;)


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]