--- David Howells <[EMAIL PROTECTED]> wrote: > Stephen Smalley <[EMAIL PROTECTED]> wrote: > > > Precisely when to use one identity vs. the other though isn't always > > clear, and the potential for accidental divergence is also a concern. > > What should auditing use in audit_filter_rules() when dealing with > AUDIT_SUBJ_* cases? Should the SUBJ cases use the subjective SID and the > AUDIT_OBJ_* cases use the objective SID? On the other hand AUDIT_OBJ_* cases > don't seem to have anything to do with tasks.
I believe that you'll need to audit both sets of credentials. I think that for audit filtering you will need to have the ability to filter on either. It's no different from the euid/ruid split. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html