On Tue, 2005-06-28 at 16:48 -0700, Tony Jones wrote: > For stacker, if no module is registered, stacker_vm_enough_memory calls > capable() rather than dummy_capable() [but the problem would be the same > if capability was the first module in the list (or any module who's > vm_enough_memory hook called capable().] > > The issue is that if any module in the chain tries to do any auditing based > on rejecting capable() things get quite noisy. > > I would imaging selinux auditing, if enabled, would see a similar problem. I remember having this problem (spurious SELinux auditing of CAP_SYS_ADMIN checks by vm_enough_memory) with earlier versions of stacker, but it ultimately being fixed by Serge's other patches for consolidating the vm_enough_memory hooks into a common helper that were upstreamed earlier and the removal of the selinux_vm_enough_memory hook by the stacking patches. With stacker+SELinux+cap_stack, stacker should end up calling cap_vm_enough_memory, which internally just calls cap_capable(), so SELinux isn't involved at all in the computation. Whether or not stacker should fall back to calling the top-level capable() is unclear, but it isn't going to matter for most people, as they will be stacking with dummy or capability or cap_stack, and thus will have a vm_enough_memory hook defined (and none of those hooks call the top-level capable internally anymore). -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Wed Jun 29 2005 - 06:34:47 PDT