George Beshers wrote: > 2) Because Auditing is an integral part of my LSM it is important > that the methods be called even if another module is going to > deny permission --- this is not the semantics of > RETURN_ERROR_IF_ANY_ERROR. It appears that SELinux also > might have a similar concern. Short-circuit error returns is the semantics of the LSM hooks in the Linux kernel; there are access requests that error out on DAC and other checks that no LSM module will ever see. Therefore it is at least consistent if Stacker also errors out short, returning "no" if any module says "no" without bothering to ask all the modules. To get the effect you want, why not just stack your module first (or last, whatever) such that it is the first module checked by Stacker? Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Director of Software Engineering, Novell http://novell.com
This archive was generated by hypermail 2.1.3 : Mon Jul 11 2005 - 08:59:15 PDT