[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] Re: [PATCH] change lspp inode auditing



On Thursday 30 March 2006 08:24, Stephen Smalley wrote:
> > In that case, the patch writes out the sid number. Given a sid, is there
> > a way to find it in the policy on disk? If not, that might be useful to
> > have.
>
> SIDs aren't persistent identifiers.

Do 2 back to back loads of the same policy produce the same sids?

> > If we record the sid number, do we really need to call audit_panic?
>
> See above.  The SID is useless for off-line analysis, and you'd have to
> inspect kernel memory to even map it to a context - kernel SIDs aren't
> exported to userspace.  Again, by design.

I have a feeling that we may need to close the loop somehow. I really don't 
anticipate this being a normal condition at all. But just in case...

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]