From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: Dave Quigley <dpquigl@tycho.nsa.gov>,
Chris Wright <chrisw@sous-sol.org>,
jmorris@namei.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.
Date: Wed, 5 Mar 2008 09:24:36 -0800 (PST) [thread overview]
Message-ID: <804501.84545.qm@web36608.mail.mud.yahoo.com> (raw)
In-Reply-To: <1204726080.1397.16.camel@moss-spartans.epoch.ncsc.mil>
--- Stephen Smalley <sds@tycho.nsa.gov> wrote:
> ...
> IIRC, originally audit directly called inode_getsecurity() to get the
> string label, and there was a (since removed) LSM hook to get the name
> suffix that it needed to pass in as input. That was then replaced by
> use of interfaces to get the secid at audit collection time and convert
> that into a context only upon audit record generation to avoid the
> overhead associated with collecting a context always.
>
> Whereas I think NFS just wants the context always, and it doesn't serve
> any purpose to first get a secid and then later turn it into a context.
It turns out that I agree that hooks to get the secctx of things
would be good to have, in fact I much prefer them to the secid
interfaces. I would personally prefer to see audit use them instead
of the secid interfaces, but I acknowlege the performance implications
that would have on SELinux.
Casey Schaufler
casey@schaufler-ca.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-03-05 18:24 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 1:08 [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information Casey Schaufler
2008-03-05 13:41 ` Dave Quigley
2008-03-05 14:08 ` Stephen Smalley
2008-03-05 17:24 ` Casey Schaufler [this message]
-- strict thread matches above, loose matches on Subject: below --
2008-03-04 22:53 Casey Schaufler
2008-03-04 22:33 ` Dave Quigley
2008-03-04 23:14 ` Chris Wright
2008-03-04 22:51 ` Dave Quigley
2008-03-04 22:59 ` Dave Quigley
2008-03-04 21:53 David P. Quigley
2008-03-04 22:21 ` Dave Quigley
2008-03-04 23:26 ` Chris Wright
2008-03-04 23:07 ` Dave Quigley
2008-03-04 23:52 ` Chris Wright
2008-03-04 23:35 ` Dave Quigley
2008-03-05 0:10 ` Chris Wright
2008-03-04 23:59 ` Dave Quigley
2008-03-05 0:31 ` James Morris
2008-03-05 1:39 ` Chris Wright
2008-03-04 23:48 ` James Morris
2008-03-04 23:26 ` Dave Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=804501.84545.qm@web36608.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=chrisw@sous-sol.org \
--cc=dpquigl@tycho.nsa.gov \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.