|Main Archive Page > Month Archives > selinux archives|
On Tue, 2007-09-18 at 12:42 -0400, Eric Paris wrote:
> On Tue, 2007-09-18 at 12:28 -0400, Stephen Smalley wrote:
> > > @@ -296,6 +312,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf,
> > > if (length)
> > > goto out;
> > >
> > > + printk(KERN_INFO "Policy loaded with handle_unknown=%s\n",
> > > + security_get_handle_unknown_txt());
> > I think this should have some well-defined prefix on it, like "SELinux:"
> > or something, to make it easy to identify. Steve Grubb might have an
> > opinion on whether it should use printk or have its own audit message or
> > be added to the load policy audit message.
> Baah, yeah, it should have that prefix.
> I talked to sgrubb about it, he said that since it wasn't something
> which could be 'changed' (like setenforce or a boolean) it didn't need
> an audit message. I offered to tack it onto the policy load audit
> message but he didn't at the time seem to feel it was portraying useful
> information since we assume we know what policy was loaded and thus just
> knowing it was loaded should be enough to tell us the handle_unknown
Except that my libsemanage patch allows you to change the flag from the one in the base module via a semanage.conf setting. Unless we chose to not merge that support and only allow it to be inherited from base module.
> He instead suggested an addition to sestatus or some other tool so it
> could be read if the admin cared.
> Do you have other feelings now steve?
-- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.