From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mr Dash Four Subject: Re: [PATCH 3rd revision] Add SELinux context support to AUDIT target Date: Wed, 08 Jun 2011 20:14:38 +0100 Message-ID: <4DEFCA1E.1040404@googlemail.com> References: <4DEDEB99.4070601@netfilter.org> <4DEDFE43.5060402@googlemail.com> <201106081049.48026.sgrubb@redhat.com> <4DEFBBBE.6090307@schaufler-ca.com> <4DEFC6C9.5030004@googlemail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org To: Eric Paris Cc: Casey Schaufler , Steve Grubb , linux-audit@redhat.com, Thomas Graf , netfilter-devel@vger.kernel.org, Al Viro , Patrick McHardy , Pablo Neira Ayuso List-Id: linux-audit@redhat.com > The LSM might report and error. It's up to the caller to figure out > how to deal with that error. In this case we want to use the audit > system so it's up to the audit system how to handle that error. This > helper function says the audit system should log it if it work and > should audit_panic() if it doesn't. audit_panic() will just call > printk for most people and can actually panic the box for nutters who > really care. In this way we always log the information and if we > don't it's up to audit how audit handles it's inability to log info. > > It's not netfilter's job to handle the error. It's not the LSMs job > to know how it's caller wants to handle the error. Audit is who has > special requirements and the code to handle the error should be in > audit code. (Maybe it wasn't clear, but I think this function should > go in kernel/audit.c, not the netfilter code. The netfilter code > should call this helper function. > Yeah, that's fair enough, though from what I remember security_secid_to_secctx already returns a 'yes'/'no' result (I am talking from the top of my head here as I am away at present and can't check it out to be certain), indicating whether the conversion was successful or not.