Serge Hallyn wrote: >Attached is a patch which provides LSM controls over actions related to >the new audit framework. As a specific example, we might like to have >an "audit role", enabled by selinux or some other LSM, which would be >the only role allowed to add or delete filter rules. > >What do people think about adding these hooks, both in general and these >hooks specifically? > > LSM is about enabling policy modules, not imposing policy. Glancing through the patch, it appears to put audit-specific stuff into LSM. I would rather see appropriate hook placement so that an audit module (or an audit-aware module) could be created, but without imposing audit-specific semantics on the hooks. But then again, I'm just guessing at what the patch does based on variable names :) Can you post a description of what the patch does? Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
This archive was generated by hypermail 2.1.3 : Wed Sep 15 2004 - 06:02:24 PDT