handling disk full

Klaus Weidner klaus at atsec.com
Wed Dec 15 18:01:17 UTC 2004 

Keep in mind that the CAPP audit requirements are fairly independent from
the SELinux uses of the audit subsystem. 

CAPP requires that specific actions don't complete if they can't be
audited, and those events will in general occur from a syscall context
where a sleep should not be a problem.

The events generated by SELinux are not required by CAPP, and it's not a
problem for CAPP compliance if those messages get discarded if there is
no room for them and the kernel can't sleep.

Things get more complicated if you're looking at an LSPP system with
SELinux being responsible for audit events related to labels which aren't
optional.

-Klaus

On Wed, Dec 15, 2004 at 11:48:25AM -0600, Mounir Bsaibes wrote:
> On Tue, 2004-12-14 at 17:06, Mounir Bsaibes wrote:
> > What I have currently, on disk full the auditd will notify the kernel
> > which sets up a flag "disk_full_flag". During audit_log_start if the
> > disk_full_flag is set the process will be queued in a wait queue until
> > auditd or auditctl reset the disk_full_flag,
> > I can provide more details if needed. This is the general method I am
> > going to use to cover this CAPP requirement.
> > Mounir
> 
> SELinux calls the audit subsystem from hard irq (e.g.
> file_send_sigiotask) and at times when kernel locks are held.
> 
> 
> So what is a better solution, just kill the process?
> I have changed the subject of this reply to make it more meaningful to 
> this discussion and to separate it  from the audit in vfs discussion.
> 
> Mounir Bsaibes
> Linux Security
> Tel:  (512) 838-1301
> Cell: (512) 762-9957
> Fax: (512) 838-8858
> e-mail: bsaibes at us.ibm.com
> 
> 
> 
> Stephen Smalley <sds at epoch.ncsc.mil> 
> Sent by: linux-audit-bounces at redhat.com
> 12/15/2004 10:08 AM
> Please respond to
> Linux Audit Discussion
> 
> 
> To
> Linux Audit Discussion <linux-audit at redhat.com>
> cc
> 
> Subject
> Re: best way to audit in vfs
> 
> 
> 
> 
> 
> 
> On Tue, 2004-12-14 at 17:06, Mounir Bsaibes wrote:
> > What I have currently, on disk full the auditd will notify the kernel
> > which sets up a falg "disk_full_flag". During audit_log_start if the
> > disk_full_flag is set the process will be queued in a wait queue until
> > auditd or auditctl reset the disk_full_flag,
> > I can provide more details if needed. This is the general method I am
> > going to use to cover this CAPP requirement.
> > Mounir
> 
> SELinux calls the audit subsystem from hard irq (e.g.
> file_send_sigiotask) and at times when kernel locks are held.
> -- 
> Stephen Smalley <sds at epoch.ncsc.mil>
> National Security Agency
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
> 

> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list