Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, Mar 10, 2017 at 2:54 PM, Paul Moore wrote: > On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: >> generic_permission() presently checks CAP_DAC_OVERRIDE prior to >> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when >>

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, Mar 10, 2017 at 2:54 PM, Paul Moore wrote: > On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: >> generic_permission() presently checks CAP_DAC_OVERRIDE prior to >> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when >> using a LSM such as SELinux or AppArmor,

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, 10 Mar 2017, Stephen Smalley wrote: > generic_permission() presently checks CAP_DAC_OVERRIDE prior to > CAP_DAC_READ_SEARCH. This can cause misleading audit messages when > using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE > may not be required for the operation. Flip the

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, 10 Mar 2017, Stephen Smalley wrote: > generic_permission() presently checks CAP_DAC_OVERRIDE prior to > CAP_DAC_READ_SEARCH. This can cause misleading audit messages when > using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE > may not be required for the operation. Flip the

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

Quoting Stephen Smalley (s...@tycho.nsa.gov): > generic_permission() presently checks CAP_DAC_OVERRIDE prior to > CAP_DAC_READ_SEARCH. This can cause misleading audit messages when > using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE > may not be required for the operation. Flip the

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

Quoting Stephen Smalley (s...@tycho.nsa.gov): > generic_permission() presently checks CAP_DAC_OVERRIDE prior to > CAP_DAC_READ_SEARCH. This can cause misleading audit messages when > using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE > may not be required for the operation. Flip the

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On 03/10/2017 11:54 AM, Paul Moore wrote: > On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: >> generic_permission() presently checks CAP_DAC_OVERRIDE prior to >> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when >> using a LSM such as SELinux or

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On 03/10/2017 11:54 AM, Paul Moore wrote: > On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: >> generic_permission() presently checks CAP_DAC_OVERRIDE prior to >> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when >> using a LSM such as SELinux or AppArmor, since

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: > generic_permission() presently checks CAP_DAC_OVERRIDE prior to > CAP_DAC_READ_SEARCH. This can cause misleading audit messages when > using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE > may not be

Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: > generic_permission() presently checks CAP_DAC_OVERRIDE prior to > CAP_DAC_READ_SEARCH. This can cause misleading audit messages when > using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE > may not be required for the

[PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only

[PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only

[PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only

[PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only