[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: handling disk full



Keep in mind that the CAPP audit requirements are fairly independent from
the SELinux uses of the audit subsystem. 

CAPP requires that specific actions don't complete if they can't be
audited, and those events will in general occur from a syscall context
where a sleep should not be a problem.

The events generated by SELinux are not required by CAPP, and it's not a
problem for CAPP compliance if those messages get discarded if there is
no room for them and the kernel can't sleep.

Things get more complicated if you're looking at an LSPP system with
SELinux being responsible for audit events related to labels which aren't
optional.

-Klaus

On Wed, Dec 15, 2004 at 11:48:25AM -0600, Mounir Bsaibes wrote:
> On Tue, 2004-12-14 at 17:06, Mounir Bsaibes wrote:
> > What I have currently, on disk full the auditd will notify the kernel
> > which sets up a flag "disk_full_flag". During audit_log_start if the
> > disk_full_flag is set the process will be queued in a wait queue until
> > auditd or auditctl reset the disk_full_flag,
> > I can provide more details if needed. This is the general method I am
> > going to use to cover this CAPP requirement.
> > Mounir
> 
> SELinux calls the audit subsystem from hard irq (e.g.
> file_send_sigiotask) and at times when kernel locks are held.
> 
> 
> So what is a better solution, just kill the process?
> I have changed the subject of this reply to make it more meaningful to 
> this discussion and to separate it  from the audit in vfs discussion.
> 
> Mounir Bsaibes
> Linux Security
> Tel:  (512) 838-1301
> Cell: (512) 762-9957
> Fax: (512) 838-8858
> e-mail: bsaibes us ibm com
> 
> 
> 
> Stephen Smalley <sds epoch ncsc mil> 
> Sent by: linux-audit-bounces redhat com
> 12/15/2004 10:08 AM
> Please respond to
> Linux Audit Discussion
> 
> 
> To
> Linux Audit Discussion <linux-audit redhat com>
> cc
> 
> Subject
> Re: best way to audit in vfs
> 
> 
> 
> 
> 
> 
> On Tue, 2004-12-14 at 17:06, Mounir Bsaibes wrote:
> > What I have currently, on disk full the auditd will notify the kernel
> > which sets up a falg "disk_full_flag". During audit_log_start if the
> > disk_full_flag is set the process will be queued in a wait queue until
> > auditd or auditctl reset the disk_full_flag,
> > I can provide more details if needed. This is the general method I am
> > going to use to cover this CAPP requirement.
> > Mounir
> 
> SELinux calls the audit subsystem from hard irq (e.g.
> file_send_sigiotask) and at times when kernel locks are held.
> -- 
> Stephen Smalley <sds epoch ncsc mil>
> National Security Agency
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> http://www.redhat.com/mailman/listinfo/linux-audit
> 

> --
> Linux-audit mailing list
> Linux-audit redhat com
> http://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]