On Thu, Jun 9, 2011 at 10:08 AM, Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> wrote: > >>> Just to make sure, so the conclusion is that the patch is fine as >>> it is and anything related to unconvertible secids will be handled >>> by SELinux internally? >>> >>> >> >> No. This patch does not get my ACK. Steve is right that silently >> dropping information is a big big no no for the audit system and >> that's what this patch does. This cannot be wholly handled properly >> inside the LSM either. I don't see any patch meeting everyone's >> requirements outside of a new one that includes the audit helper I >> suggested. >> > > Right, so the function you suggested yesterday (audit_log_secctx) should be > added in audit.c in its entirety, and xt_AUDIT.c should just have something > like: > > #ifdef CONFIG_NF_CONNTRACK_SECMARK > if (skb->secmark) > audit_log_secctx(ab,skb->secmark); > #endif > > Thus, discarding the result (rc), unless we are interested in the error > code, which I don't think is the case here. Would everyone be happy with > this? Actually just make it a void function as I don't think anyone would/could/should make use of the return value. -Eric -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
