Re: [redhat-lspp] change lspp ipc auditing

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: "Dustin Kirkland" <dustin.kirkland@gmail.com>
To: Steve Grubb <sgrubb@redhat.com>, Alexander Viro <aviro@redhat.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
Subject: Re: [redhat-lspp] change lspp ipc auditing
Date: Fri, 31 Mar 2006 15:24:31 -0600	[thread overview]
Message-ID: <d9c105ea0603311324s700ee01fq5cd6b09cd5a47be5@mail.gmail.com> (raw)
In-Reply-To: <200603311522.49811.sgrubb@redhat.com>

On 3/31/06, Steve Grubb <sgrubb@redhat.com> wrote:
> The patch below converts IPC auditing to collect sid's and convert to context
> string only if it needs to output an audit record. This patch depends on the
> inode audit change patch already being applied.

Looks pretty much like the version of this I submitted last night.  It
looks fine to me.

Point of clarification, though...  We need to simplify for Al
*exactly* what needs to be applied.  There's a gang of patches flying
around with IPC in the subject under multiple different threads, most
of which are redundant.

As I see it there are two things that needs to happen with respect to
IPC auditing...

(1) Steve's patch above (or my patch from last night) eliminates the
char *ctx strings in the ipc audit records resulting in improved
performance (and eliminating the memory leaks that resurrected this
code a month ago)

(2) My ipc audit rework patch that splits the ipc audit functions into
two separate functions, each recording something different...  One
audits the ipc object itself (which is what will record the SELinux
context sid.  And the second is called when permissions are changed on
an ipc object (happens in IPC_SET operations).  Steve has recommended
a minor change to the naming of the audit record type from
AUDIT_IPC_NEW_PERM to AUDIT_IPC_SET_PERM.  That's acceptable by me. 
I'll repost this patch very soon.

:-Dustin

next prev parent reply	other threads:[~2006-03-31 21:24 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-03-31 20:22 change lspp ipc auditing Steve Grubb
2006-03-31 21:24 ` Dustin Kirkland [this message]
2006-03-31 21:38 ` Stephen Smalley
2006-04-01  1:36   ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d9c105ea0603311324s700ee01fq5cd6b09cd5a47be5@mail.gmail.com \
    --to=dustin.kirkland@gmail.com \
    --cc=aviro@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=redhat-lspp@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox