From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <43F39797.1050602@trustedcs.com> Date: Wed, 15 Feb 2006 15:05:27 -0600 From: Darrel Goeddel MIME-Version: 1.0 To: "Timothy R. Chavez" CC: Stephen Smalley , Linux Audit Discussion , James Morris , selinux@tycho.nsa.gov Subject: Re: [RFC][PATCH] collect security labels on user processes generating audit messages References: <1139530450.12638.7.camel@localhost> <1139857945.14253.112.camel@moss-spartans.epoch.ncsc.mil> <1139960902.326.5.camel@localhost> In-Reply-To: <1139960902.326.5.camel@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Timothy R. Chavez wrote: > James & Stephen, > > Thank you for the comments. While implementing your feedback I came > across a pretty severe bug. I was basically obtaining the sid and then > throwing it away (I was returning it from the function, but not actually > assigning it to anything). New patch below. I still need to test this > a little more. Thanks! > > -tim Should you really be using an lsm interface for getting the sid? The patch is currently allowing any security module to put a secid (whose comment says SELinux security id) into the netlink_skb_params struct. This generic item is then only used in SELinux specific calls. It seems that the getsecid functionality could just fit into an SELinux specific API just like selinux_id_to_ctx and friends. That would also avoid the overhead of lsm and all of the associated code changes. Of course this is probably moot if there are other planned uses for security_task_getsecid(). -- Darrel -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.