Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext
On Monday 29 August 2005 17:28, Stephen Smalley wrote:
That makes sense when collecting data for the audit prior to the
operation
being performed, e.g. audit_ipc_security_context. It doesn't make sense when
attempting to audit a completed syscall, e.g.
audit_log_task_security_context, as the operation has already completed.
I completely agree.
And it is worthwhile to check the hook placement to see that we can fail the
syscall if needed. Meaning that there may be a hook right after the action is
performed. But all we are doing is collecting information. It might be moved
in front of the action. Not sure if there are any cases like this since I
haven't looked in depth.
-Steve