Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext
On Monday 29 August 2005 17:18, Dustin Kirkland wrote:
Hmmm... Steve: Can you point me to some places where you feel this
might be necessary?
Any function that hooks the main part of the kernel and does auditing. For
example, audit_ipc_security_context. There's more...
One thing that's important to realize is that audit_panic() does
not
necessarily panic the kernel. Depending on the value of audit_failure,
it can 1) fail silently, 2) fail with only a KERN_ERR printk, or 3) it
can panic the kernel.
Which is inadequate - failing the syscall might also be appropriate and its
not an option in the 3 you mentioned. In the case of printk & ignore...the
syscall passes.
I'd like to push this for inclusion in David's tree as soon
as possible.
I need to wait until I'm caught up to really review this patch. I still think
its too early for LSPP discussion since we haven't set out the requirements
for what we are going to do in this round of development. Its likely to be
next week before I can look at this closely.
I still think it calls audit_panic too easy. How does SE Linux AVC messages
get handled when it fails looking up something? Does it call audit_panic or
try to output the number? I think they should both match.
BTW, does audit_set_macxattr need to NULL check after kstrdup?
-Steve