Re: [RFC] Testcase Scenarios for Auditfs Code

On Mon, 2005-05-02 at 14:15 -0400, Stephen Smalley wrote: Now this is disconcerting - the last time I tried this, not too long ago, I was not able to bind mount files, only directories. Of course if we were going to worry about this, then we should also worry about the simpler 'mount --bind /tmp/evil_etc /etc' or even simpler mounts. Since we don't worry about those, adding extra hooks to deal with the mount bind file case would be unwarrented. (right?) Still the problem is interesting :) And easier to solve than bind mount directory. It should be solvable by hooking security_sb_check_sb, right? What does the fs tree look like at that point? Is shadow simultaneously a vfsmount and a dentry? I agree. How bad would it be to have the kernel create a inode-based audit rule when the new /etc/shadow (or any name-watched file) is created? If we stick with the idea of keeping name- and inode-based watches separate, then the semantics that name-based watches create an inode- based watch whenever a new `name` is created, I think that would be pretty intuitive. How would it be done with selinux? For shadow, I can see a clear solution - it only creates files of type shadow_t under /etc, so a simple type_transition rule with no rewriting of passwd can give you a label to audit on. But for the general case, I would expect you'd need to rewrite application_foo to create the files to be audited with a particular type echo'd into /proc/self/attr/fscreate. Or is there another way selinux could be used? thanks, -serge -- Serge Hallyn <serue(a)us.ibm.com&gt;