[redhat-lspp] Re: [PATCH] change lspp inode auditing
Steve Grubb
sgrubb at redhat.com
Thu Mar 30 15:48:22 UTC 2006
On Thursday 30 March 2006 09:30, Stephen Smalley wrote:
> Not much value in displaying the SID, although we do it elsewhere as
> well (e.g. in the AVC) as a fallback - mapping it will then require a
> dump of kernel memory at that time. Likely have to call audit_panic in
> this scenario to meet the criteria, but the admin can always set
> audit_panic to not actually panic the machine.
I'll patch it to call audit_panic, but that is not the solution. For example,
suppose the syscall was to rename, sendfile, unlink, or link to a file...even
though we panic they were able to do the action. If it was rename a file,
they can now access the file when it comes back up and not be audited. I
think that the correct course of action is to log the number and figure out
how to close the loop on the mapping the sid to context post-mortem.
> BTW, you kfree(ctx) unconditionally above, so you better initialize it
> to NULL prior to calling selinux_ctxid_to_string(). len has the wrong
> type too (int vs. u32), but I think you can drop it altogether.
The called function initializes it. I'll add another init to NULL just in case
something it calls doesn't on error.
Thanks,
-Steve
More information about the redhat-lspp
mailing list