Re: Getting the real task name in avc messages

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On Wed, 2005-03-30 at 13:02 -0800, Steve G wrote:
> I'm not sure we need this information for regular auditing. I haven't seen
> regular audit messages that showed the interpreter instead of the program. The
> problem does exist for avc denials.

Presently the syscall auditing (i.e. audit_log_exit) doesn't show the
program name at all, just the pid.  That's why I suggested moving this
to audit_log_exit, so that you can get more useful information.  pid is
rarely helpful except for long lived processes, whereas the exe and comm
can be helpful.

> I know about that. I know where to find the full path (example code is over in
> the proc file system), but I don't have time to improve this patch right now. I
> just want to get this out in the open and show that the status quo can be
> improved a little.

avc_audit() already does that (the exe= info).  So you just need to move
it over.  See my patch that I just sent.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.