Just to make sure, so the conclusion is that the patch is fine as
it is and anything related to unconvertible secids will be handled
by SELinux internally?
No. This patch does not get my ACK. Steve is right that silently
dropping information is a big big no no for the audit system and
that's what this patch does. This cannot be wholly handled properly
inside the LSM either. I don't see any patch meeting everyone's
requirements outside of a new one that includes the audit helper I
suggested.
Right, so the function you suggested yesterday (audit_log_secctx) should
be added in audit.c in its entirety, and xt_AUDIT.c should just have
something like:
#ifdef CONFIG_NF_CONNTRACK_SECMARK
if (skb->secmark)
audit_log_secctx(ab,skb->secmark);
#endif
Thus, discarding the result (rc), unless we are interested in the error
code, which I don't think is the case here. Would everyone be happy with
this?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
