From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: audit 1.2.2 released Date: Wed, 24 May 2006 15:30:55 -0500 Message-ID: <4474C27F.9060707@us.ibm.com> References: <200605121726.32952.sgrubb@redhat.com> <4473374C.8030902@us.ibm.com> <44738AA0.50006@us.ibm.com> <200605240904.15987.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200605240904.15987.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb wrote: > On Tuesday 23 May 2006 18:20, Michael C Thompson wrote: >> socket_has_perm returns 0, > > This function is not exactly the one I was after.. > > 3387 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) > 3388 { > > 3401 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); > 3402 if (err) { > > 3415 goto out; > 3416 } > 3417 > 3418 err = socket_has_perm(current, sock, perm); > 3419 out: > 3420 return err; > 3421 } > > Socket_has_perm has the second vote. This function in turn gets called by > selinux_netlink_send, so that is probably the best place to hook. I do not see this function getting hit with 'auditctl -l'. >> If you have any possible fixes, I'll gladly test them, but currently, >> I'm at a loss for time and can't continue. > > I guess I'll put the hooks in the next kernel and let you test them. Send 'em my way :) Thanks, Mike