Quoting Kentaro Takeda (takedakn@nttdata.co.jp):
quoted text
> Valdis.Kletnieks@vt.edu wrote:
> > On Tue, 30 Sep 2008 19:33:32 PDT, Casey Schaufler said:
> >> I have always believed that MAC should come first, then DAC, because
> >> MAC may care if you can see the mode bits. The current DAC before MAC
> >> is an artifact of the desire for the LSM to behave cleanly as a
> >> strictly additional mechanism. From an ideal security perspective
> >> MAC should be first, but the pragmatic DAC first isn't going to cause
> >> too much grief. If Tomoyo wants to do what I think is the right thing,
> >> well, it's OK with me.
> > I'm OK with the MAC going first as well
> Current implementation is as follows.
> - security_path_*: MAC before DAC
> - security_inode_*: DAC before MAC
> I can understand Casey and Valdis' MAC first approach from the ideal 
> security perspective. However, from the pragmatic perspective, we 
> prefer DAC before MAC approach as SELinux does. This approach doesn't 
> change error code returned to callers if requested access is denied 
> by DAC.
> 
> Regards,

I suppose you could do something like define both _path and _inode,
save away your result from the _path hook but always return 0, there,
then if you'd saved off an error and you make it to the _inode hook,
return the error there...

-serge
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/