[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Steve Grubb
sgrubb at redhat.com
Mon Aug 29 22:05:59 UTC 2005
On Monday 29 August 2005 17:28, Stephen Smalley wrote:
> That makes sense when collecting data for the audit prior to the operation
> being performed, e.g. audit_ipc_security_context. It doesn't make sense when
> attempting to audit a completed syscall, e.g.
>audit_log_task_security_context, as the operation has already completed.
I completely agree.
And it is worthwhile to check the hook placement to see that we can fail the
syscall if needed. Meaning that there may be a hook right after the action is
performed. But all we are doing is collecting information. It might be moved
in front of the action. Not sure if there are any cases like this since I
haven't looked in depth.
-Steve
More information about the Linux-audit
mailing list