Re: LSM stacker update

From: Serge Hallyn (serue@private)
Date: Wed Feb 02 2005 - 08:24:13 PST


So could selinux do the authorization check and avc_audit in
netlink_send, as you had suggested some time ago?

-serge

On Wed, 2005-02-02 at 09:10 -0500, Stephen Smalley wrote:
> On Wed, 2005-02-02 at 08:50, Stephen Smalley wrote:
> > Actually, on second thought, I wonder if selinux_netlink_recv should be
> > calling avc_audit() upon a denial, as otherwise we will see no audit
> > message for a denial even it is caused by the SELinux computation in
> > selinux_netlink_send.  Similar issue for the audit subsystem's
> > capability checks on the receiver side.
> 
> Hmmm...except that we won't have the sender's SID available to us in
> selinux_netlink_recv(), so auditing would just occur in the receiver's
> context, possibly incorrectly.
> 
-- 
Serge Hallyn <serue@private>



This archive was generated by hypermail 2.1.3 : Wed Feb 02 2005 - 07:07:32 PST