Re: Getting the real task name in avc messages

[Steve G <linux_4ever@xxxxxxxxx>]

>Note that anytime avc_audit generates an audit message, audit_log_exit
>will be called upon syscall exit, so by adding a call to your new function 
>to audit_log_exit, you'll ensure that this information is recorded for 
>every avc denial as well as every other audit message.

I'm not sure we need this information for regular auditing. I haven't seen
regular audit messages that showed the interpreter instead of the program. The
problem does exist for avc denials.

>Note that the comm field is less complete (not a full path and may even
>be truncated) and is not trustworthy (can be changed by the process to
>any arbitrary string).  So you can't rely on it, but it can be useful
>for debugging.

I know about that. I know where to find the full path (example code is over in
the proc file system), but I don't have time to improve this patch right now. I
just want to get this out in the open and show that the status quo can be
improved a little.

Thanks,
-Steve Grubb

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.