[RFC][PATCH] selinux: Report result in avc messages
Eric Paris
eparis at redhat.com
Wed Apr 30 02:59:42 UTC 2014
On Tue, 2014-04-29 at 16:54 -0700, Stephen Smalley wrote:
> Requested for Android in order to distinguish denials that are not in
> fact breaking anything yet due to permissive domains versus denials
> that are being enforced, but seems generally useful. result field was
> already in the selinux audit data structure and was being passed to
> avc_audit() but wasn't being used. Seems to cause no harm to ausearch
> or audit2allow to add it as a field. Comments?
I think it's a great idea, but I'm worried that Steve is going to get
grumpy because an AVC record is going to have a result= field which is
similar, but not necessarily related to the res= field of a SYSCALL
record. Seems easily confused (although probably 9999 times out of
10000 they will be the same)
So while I wholeheartedly think we should take the idea, I wonder if
someone can dream up a name that isn't confusingly similar...
I can't think of anything...
-Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-selinux-Report-result-in-avc-messages.patch
Type: text/x-patch
Size: 3413 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140429/05d8a868/attachment.bin>
More information about the Linux-audit
mailing list