[PATCH 3rd revision] Add SELinux context support to AUDIT target
Mr Dash Four
mr.dash.four at googlemail.com
Wed Jun 8 19:14:38 UTC 2011
> The LSM might report and error. It's up to the caller to figure out
> how to deal with that error. In this case we want to use the audit
> system so it's up to the audit system how to handle that error. This
> helper function says the audit system should log it if it work and
> should audit_panic() if it doesn't. audit_panic() will just call
> printk for most people and can actually panic the box for nutters who
> really care. In this way we always log the information and if we
> don't it's up to audit how audit handles it's inability to log info.
>
> It's not netfilter's job to handle the error. It's not the LSMs job
> to know how it's caller wants to handle the error. Audit is who has
> special requirements and the code to handle the error should be in
> audit code. (Maybe it wasn't clear, but I think this function should
> go in kernel/audit.c, not the netfilter code. The netfilter code
> should call this helper function.
>
Yeah, that's fair enough, though from what I remember
security_secid_to_secctx already returns a 'yes'/'no' result (I am
talking from the top of my head here as I am away at present and can't
check it out to be certain), indicating whether the conversion was
successful or not.
More information about the Linux-audit
mailing list