* frm crispinat_private "09/02/01 01:12:16 -0700" | sed '1,$s/^/* /' * *> Since neither of them have *> really talked about it since then on the list, I don't see any reason *> why we would change the proposed plan that I thought we had all agreed *> upon. *> * I too am still waiting to see the SGI response to the challenge, and if * we never get one, we'll stay restrictive. But since the BoF was all of * 2.5 weeks ago, I don't think it is yet a foregone conclusion that we're * all-restrictive. I replied on August 22, saying that initial investigation of the authoritative patch that Stephen kindly resent to the list would be useful to SGI as it was. The hard to fix places would be okay to keep restrictive at least for this phase. At least the philosophy is "authoritative" even if we realize that a 100% solution isn't feasible in the short term. Until we can get actual audit records out of the system (kernel panics are not your friend), I'm not sure what subtlies are missing from Stephens patch, but from my point of view its a lot closer to useable for SGI than where we are now. And while I know audit isn't in phase 1, we're a lot closer to getting audit working using the existing hooks that we thought we could be. While 80% of statistics are made up on the spot, I reckon I can get 95% of POSIX audit working as is (assuming authoritative placement), the missing FDs would be the majority of the last 5%, oh and the name->inode lookup would be another 5% :-) * * Crispin * richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 08:06:32 PDT