Re: [RFC] [PATCH]

Friday, 17 February 2006

Dustin Kirkland wrote:
...
 On Fri, 2006-02-17 at 08:43 -0600, Darrel Goeddel wrote:

>It would seem to me that we need the current functionality of keeping all rules
>that are set up and revalidating them upon policy loads.  If we don't do it here,
>it would need to be done at the audit layer - it might not be as pretty there.

 I don't know...  My first thoughts are that it seems like the audit
 layer should be ignorant of policy loads/reloads--that's not really it's
 business. 
I was trying to avoid knowledge of policy reloads (and really policy in general)
with the rule skipping piece and the sequo checking when the rule is used.  As
far as the audit system is concerned, SELinux could be rolling dice to determine
matches.

As for the big picture.  Steve Grubb suggested a compromise of keeping the current
methodology and enhancing it with KERN_INFO messages.  I'd suggest message for the
following:

- a rule that is inactive is inserted
- a rule that was active becomes inactive
- a rule that was inactive becomes active

Does that fit the bill?

-- 

Darrel

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [RFC] [PATCH]