On Mon, 2009-03-30 at 20:30 +0200, Etienne Basset wrote: SMACK doesn't have it's own capabilities enforcement (it just calls cap_capable()) so this doesn't matter to you at all. Just pretend I didn't say anything. James? lsm_audit.h? security_audit.h? Should I just shut up and not try to work towards a generic lsm audit framework? I'm just seeing a lot of code that I've seen before. I believe they both output the same set of information right? (except selinux has a tclass smack doesn't?) . But since we can't really fix/change SELinux logging right now maybe this isn't worth doing too much work over. If you see an easy way to make more of the code generic, do it. If not, don't worry about it. The real difference between the two is in security/selinux/avc.c::avc_dump_query() vs the beginning of smack_log(). If it's reasonable to somehow combine most/all of the other code, i say we do it. This might mean something like struct selinux_audit_struct { u32 ssid u32 tsid u16 tclass u32 requested struct av_decision *avd int result } struct smack_audit_struct { char *function int result char *subj char *obj char *requested } common_audit_struct { [everything we have today] union { struct selinux_audit_struct selinux_audit; struct smack_audit_struct smack_audit; } void (*lsm_audit)(struct audit_buffer*, void *); } So we could call some new generic function that does all of the buffer allocation and reporting, then call back into the private selinux/smack function with the data in the union. Maybe this isn't as easy as it sounded in my head... I just don't think we want a 3,4,5,6 implementations of lsm auditing. How did you plan to handle a SMACK label with a ' ? Using the audit string functions and being given a label with a " is going to give you the hex output. (which might someday turn into better encoding, but I'm still waiting to see some code to do it better) Can I suggest if you write userspace tools to do anything with these audit records that you use libauparse? So if we do make changes, SMACK tools keep working (this is the main problem with changing how SELinux uses audit, the userspace tools don't use libauparse so we can't make changes in just the kernel+library...) -Eric