[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] linux-2.6.10-auditfs-tc1.patch

On Friday 21 January 2005 10:50, Serge Hallyn wrote:
> Perhaps we should print out current->cap_effective?  Or is that
> overkill?  Or perhaps an actual "security_identify_process(task, buf,
> len)" hook would be useful, where commoncap could print out the
> capabilities, and selinux could print out the context.  Maybe that's
> closer to debug info...

Based on previous discussions, I think this would be required for LSPP. If we 
are going for LSPP after meeting CAPP, it wouldn't be bad to start getting 
some things in place.

> It sounds like he's worried about the 7 line audit_log_format line he
> has, but I think that's all good info.

I think I'd like to make a change to the way that the kernel sends netlink 
packets. It would be far more efficient for log_end to send multiple records 
in 1 packet instead of 7 separate packets. Especially if the admin has 
configured for full sync writing.

>  Are we satisfied with saying that 'mount' could be modified in 
>  userspace to do the right thing in recreating watch entries?

I don't think we can/should touch mount.

>  Perhaps we could even use inotify + a userspace daemon for the mkdir 
>  /etc case, to create new audit entries based on some config file.

The audit daemon could be made to handle this. We just select on 2 different 
descriptors & process accordingly. That is, if we need to do this...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]