Hi Serge, I have a question about stacker_vm_enough_memory. I note that SELinux doesn't implement the vm_enough_memory hook right now, so fixup_ops gives them dummy_vm_enough_memory. Same for our module currently in an unstacked setup. For stacker, if no module is registered, stacker_vm_enough_memory calls capable() rather than dummy_capable() [but the problem would be the same if capability was the first module in the list (or any module who's vm_enough_memory hook called capable().] The issue is that if any module in the chain tries to do any auditing based on rejecting capable() things get quite noisy. I would imaging selinux auditing, if enabled, would see a similar problem. Places in the kernel which modify a request rather than rejecting it based on the result of capable() seem few at present. Thanks, Tony
This archive was generated by hypermail 2.1.3 : Tue Jun 28 2005 - 17:28:04 PDT