[PATCH][RFC] V2 Remove SELinux dependencies from linux-audit via LSM

Casey Schaufler casey at schaufler-ca.com
Tue Aug 7 17:44:30 UTC 2007 

--- Stephen Smalley <sds at tycho.nsa.gov> wrote:

> On Sun, 2007-08-05 at 17:03 -0700, Casey Schaufler wrote:
> > From: Casey Schaufler <casey at schaufler-ca.com>
> > 
> > This patch interposes LSM interfaces between the audit system
> > and SELinux. This helps make SELinux a cleaner LSM and clarifies
> > the interfaces provided by the audit system. The audit system
> > no longer requires SELinux functions or data structures, making
> > it available for use by other LSMs.
> > 
> > The audit system interfaces should now be useful to any LSM that
> > can provide secids and text string representations that match them.
> > The audit system uses secids only to map to those strings and
> > treats them as opaque data otherwise. Audit rule information that
> > is specific to an LSM is maintained through a void *. 
> > 
> > The SELinux code uses LSM interfaces to access the audit system,
> > with the exception of audit_rule_update_callout(), which is
> > intended to be called at the descretion of an LSM to update the
> > LSM specific rules.
> > 
> > The LSM interface includes six new entries, four for audit and two
> > that supply secids from the LSM to networking and audit subsystems.
> > Also, there were several cases where SELinux code was being called
> > where LSM interfaces were more appropriate. These uses have been
> > repaired and the SELinux interfaces are no longer exported.
> > 
> > Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> 
> Looks sane, but the patch is malformed again, so I can't apply it.

I have to change my posting infrastructure. Stoopid 21st century software.

> There are still a few places where you appear to be making
> sparse-induced cleanups of other code unrelated to this change, so make
> those separate patches (and be sure you aren't duplicating what is
> already upstream).

I'll just have to live with the warnings, I guess. Thank you.

> You've tested the resulting kernel?  Built with a variety of configs?

Testing has been minimal (hence the [RFC]) because I don't want to
invest too much time in something that might not go anywhere. I will
work on an applyable patch posting and begin serious testing now that
someone who knows sanity when they see it (never one of my strong
points) has identified it as such. I have built it SELinux, Smack,
and neither, but only spent any serious run time with Smack.

Thank you.


Casey Schaufler
casey at schaufler-ca.com

More information about the Linux-audit mailing list