Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext

Thursday, 13 October 2005

* Stephen Smalley (sds(a)tycho.nsa.gov) wrote:
...
 Leveraging ipcperms only seemed natural (for both LSM and audit),
given
 its wide (but admittedly incomplete and coarse-grained) coverage.  I'm
 not sure why the overlap/duplication is a concern for audit if it isn't
 already a concern for the corresponding LSM hooks. 
The one difference is that the audit record is simpler.  The LSM hooks are
fine grained enough to show distinction between call contexts.  The audit
interface is just grabbing the label, so duplication would be pure waste.
My primary concern is code that looks like this:

msgctl {
  case IPC_STAT:
  	audit...
  case IPC_SET:
	...
	audit...

  if (cmd == IPC_SET)
	audit...

  case IPC_SET:
  	...
}

So there's duplication (ugly from code POV) on IPC_SET, and there's no
clear rule for what's being audited (why not audit RMID, for example).
Granted, some of the ugliness comes from existing ipc code organization.
But we don't need to make it worse.

thanks,
-chris

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext