[redhat-lspp] Re: [PATCH] change lspp inode auditing
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 30 14:36:38 UTC 2006
On Thu, 2006-03-30 at 09:22 -0500, Steve Grubb wrote:
> On Thursday 30 March 2006 08:24, Stephen Smalley wrote:
> > > In that case, the patch writes out the sid number. Given a sid, is there
> > > a way to find it in the policy on disk? If not, that might be useful to
> > > have.
> >
> > SIDs aren't persistent identifiers.
>
> Do 2 back to back loads of the same policy produce the same sids?
Policy reload doesn't flush the SID table; it just walks the SID table
and remaps the context if necessary, or marks them invalid if they are
no longer legal in the current policy. So the SIDs stay the same across
the reload. And when it invalidates a SID, it logs a warning from the
tail of convert_context() in services.c. Easy enough to convert that
printk to an audit message and to include the key (sid) value along with
it for later use, I suppose.
> I have a feeling that we may need to close the loop somehow. I really don't
> anticipate this being a normal condition at all. But just in case...
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list