[RFC][PATCH -v2] Smack: Integrate with Audit
Casey Schaufler
casey at schaufler-ca.com
Wed Mar 12 18:09:39 UTC 2008
--- "Ahmed S. Darwish" <darwish.07 at gmail.com> wrote:
>
> > Perhaps I misunderstand, but Smack labels don't represent users (i.e.
> > user identity) in any way, so it seemed like a mismatch to use the _USER
> > flag there. Whereas types in SELinux bear some similarity to Smack
> > labels - simple unstructured names whose meaning is only defined by the
> > policy rules.
> >
>
> I think Casey meant the common use of Smack where a login program
> (openssh, bin/login, ..) sets a label for each user that logs in, thus
> letting each label effectively representing a user.
No, I really just don't care which name gets used because none
of them map properly but I don't see value in adding a new one.
I say _USER is fine. I dislike _TYPE because it implies structure
that isn't there and I dislike _ROLE because someone may want to
implement roles on top of Smack (it wouldn't be hard) and don't
want to start using that term for a specific meaning that might
give 'em fits.
>
> In a sense, smack labels share a bit of _USER and _TYPE.
And maybe _ROLE, if you look at it from the right angle.
I don't think that it matters. Create a new _LATEFORDINNER
if that makes y'all feel better. Best of all would be to
stick with _USER and call it done.
Thank you.
Casey Schaufler
casey at schaufler-ca.com
More information about the Linux-audit
mailing list