[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext



On Monday 29 August 2005 17:28, Stephen Smalley wrote:
> That makes sense when collecting data for the audit prior to the operation
> being performed, e.g. audit_ipc_security_context. It doesn't make sense when
> attempting to  audit a completed syscall, e.g. 
>audit_log_task_security_context, as the operation has already completed.

I completely agree.

And it is worthwhile to check the hook placement to see that we can fail the 
syscall if needed. Meaning that there may be a hook right after the action is 
performed. But all we are doing is collecting information. It might be moved 
in front of the action. Not sure if there are any cases like this since I 
haven't looked in depth.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]