Re: Questions for the Stacker FAQ

From: Crispin Cowan (crispin@private)
Date: Mon Jul 11 2005 - 08:57:50 PDT


George Beshers wrote:
> 2)  Because Auditing is an integral part of my LSM it is important
>     that the methods be called even if another module is going to
>     deny permission --- this is not the semantics of
>     RETURN_ERROR_IF_ANY_ERROR.  It appears that SELinux also
>     might have a similar concern.
Short-circuit error returns is the semantics of the LSM hooks in the
Linux kernel; there are access requests that error out on DAC and other
checks that no LSM module will ever see.

Therefore it is at least consistent if Stacker also errors out short,
returning "no" if any module says "no" without bothering to ask all the
modules.

To get the effect you want, why not just stack your module first (or
last, whatever) such that it is the first module checked by Stacker?

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com



This archive was generated by hypermail 2.1.3 : Mon Jul 11 2005 - 08:59:15 PDT