[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] Re: [PATCH] change lspp inode auditing



On Thu, 2006-03-30 at 09:21 -0600, Serge E. Hallyn wrote:
> > However, that does bring up a separate issue beyond the inability to
> > allocate the context; the SID may be invalidated by a policy load, at
> 
> That was what I was addressing.
> 
> > which point you'll get back the unlabeled context upon subsequent
> > attempts to map it to a context.  Hence, if you have a policy reload
> 
> You couldn't end up with a completely wrong context this way?

No, at policy reload time, the SID table is remapped, with each context
either re-translated to the new representation or dropped entirely if
invalid.  In the latter case, later lookups will return the unlabeled
SID's context instead.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]