So could selinux do the authorization check and avc_audit in netlink_send, as you had suggested some time ago? -serge On Wed, 2005-02-02 at 09:10 -0500, Stephen Smalley wrote: > On Wed, 2005-02-02 at 08:50, Stephen Smalley wrote: > > Actually, on second thought, I wonder if selinux_netlink_recv should be > > calling avc_audit() upon a denial, as otherwise we will see no audit > > message for a denial even it is caused by the SELinux computation in > > selinux_netlink_send. Similar issue for the audit subsystem's > > capability checks on the receiver side. > > Hmmm...except that we won't have the sender's SID available to us in > selinux_netlink_recv(), so auditing would just occur in the receiver's > context, possibly incorrectly. > -- Serge Hallyn <serue@private>
This archive was generated by hypermail 2.1.3 : Wed Feb 02 2005 - 07:07:32 PST