[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] collect security labels on user processes generating audit messages



On Thu, 2006-02-09 at 10:15 -0500, James Morris wrote:
> On Thu, 9 Feb 2006, James Morris wrote:
> 
> > You also need to verify the policy serial number.
> > 
> > I wonder if it might be better to use the security context directly.
> 
> Also consider adding a security field to netlink messages, to managed by 
> the LSM.

A generic security blob would require full lifecycle maintenance,
including the old sk hooks that were rejected for 2.5.  I also think it
is a mistake to generalize the audit system's use of SELinux, as I don't
think that any other LSM is likely to provide LSPP functionality, so we
might as well just convert all of these audit-SELinux interfaces into
direct SELinux calls IMHO.  At least in the long term if not
immediately.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]