Re: [PATCH] audit validatetrans denials

[Stephen Smalley <sds@xxxxxxxxxxxxxx>]

On Wed, 2005-02-16 at 16:54, Darrel Goeddel wrote:
> Attached is a patch that adds the auditing of denials caused by the 
> validatetrans rules in the policy.  Look good?

I'd rather do this the same way as compute_sid_handle_invalid_context(),
i.e. generate the context strings up front using
context_struct_to_string() after looking up the SIDs, use
policydb.p_class_val_to_name[tclass-1] to lookup the class name, and
perform a single audit_log() call.  Since you are already within the
security server at this point, you don't have to do it in the same
manner as the AVC.  And you already log error messages on any invalid
SIDs or classes (in which case you aren't going to be able to look them
up anyway).  So I think you just want to call a similar helper as
compute_sid_handle_invalid_context() in the case where
constraint_expr_eval() fails.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.