[redhat-lspp] change lspp ipc auditing
Dustin Kirkland
dustin.kirkland at gmail.com
Fri Mar 31 21:24:31 UTC 2006
On 3/31/06, Steve Grubb <sgrubb at redhat.com> wrote:
> The patch below converts IPC auditing to collect sid's and convert to context
> string only if it needs to output an audit record. This patch depends on the
> inode audit change patch already being applied.
Looks pretty much like the version of this I submitted last night. It
looks fine to me.
Point of clarification, though... We need to simplify for Al
*exactly* what needs to be applied. There's a gang of patches flying
around with IPC in the subject under multiple different threads, most
of which are redundant.
As I see it there are two things that needs to happen with respect to
IPC auditing...
(1) Steve's patch above (or my patch from last night) eliminates the
char *ctx strings in the ipc audit records resulting in improved
performance (and eliminating the memory leaks that resurrected this
code a month ago)
(2) My ipc audit rework patch that splits the ipc audit functions into
two separate functions, each recording something different... One
audits the ipc object itself (which is what will record the SELinux
context sid. And the second is called when permissions are changed on
an ipc object (happens in IPC_SET operations). Steve has recommended
a minor change to the naming of the audit record type from
AUDIT_IPC_NEW_PERM to AUDIT_IPC_SET_PERM. That's acceptable by me.
I'll repost this patch very soon.
:-Dustin
More information about the redhat-lspp
mailing list