--- Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > ... > IIRC, originally audit directly called inode_getsecurity() to get the > string label, and there was a (since removed) LSM hook to get the name > suffix that it needed to pass in as input. That was then replaced by > use of interfaces to get the secid at audit collection time and convert > that into a context only upon audit record generation to avoid the > overhead associated with collecting a context always. > > Whereas I think NFS just wants the context always, and it doesn't serve > any purpose to first get a secid and then later turn it into a context. It turns out that I agree that hooks to get the secctx of things would be good to have, in fact I much prefer them to the secid interfaces. I would personally prefer to see audit use them instead of the secid interfaces, but I acknowlege the performance implications that would have on SELinux. Casey Schaufler casey@xxxxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
