On Tue, Jun 8, 2021 at 7:02 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Thu, Jun 3, 2021 at 7:46 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: ... > > It sounds an awful lot like the lockdown hook is in the wrong spot. > > It sounds like it would be a lot better to relocate the hook than > > remove it. > > I don't see how you would solve this by moving the hook. Where do you > want to relocate it? Wherever it makes sense. Based on your comments it really sounded like the hook was in a bad spot and since your approach in a lot of this had been to remove or disable hooks I wanted to make sure that relocating the hook was something you had considered. Thankfully it sounds like you have considered moving the hook - that's good. > The main obstacle is that the message containing > the SA dump is sent to consumers via a simple netlink broadcast, which > doesn't provide a facility to redact the SA secret on a per-consumer > basis. I can't see any way to make the checks meaningful for SELinux > without a major overhaul of the broadcast logic. Fair enough. -- paul moore www.paul-moore.com
