[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Stephen Smalley
sds at tycho.nsa.gov
Mon Aug 29 21:28:01 UTC 2005
On Mon, 2005-08-29 at 16:18 -0500, Dustin Kirkland wrote:
> Ok, so the audit_panic() code seems to still be under discussion. One
> thing that's important to realize is that audit_panic() does not
> necessarily panic the kernel. Depending on the value of audit_failure,
> it can 1) fail silently, 2) fail with only a KERN_ERR printk, or 3) it
> can panic the kernel. Let's come to a consensus on how these failures
> should be handled...
As I understand it, Steve G was suggesting that when possible, it should
be propagating an error up the call chain, ultimately leading to an
error returned from the syscall, rather than doing any of the three
options listed above. That makes sense when collecting data for the
audit prior to the operation being performed, e.g.
audit_ipc_security_context. It doesn't make sense when attempting to
audit a completed syscall, e.g. audit_log_task_security_context, as the
operation has already completed.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list