[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit2allow -l is unusable in FC5



On Tue, 5 Sep 2006 17:35:24 -0700 (PDT)
Steve G  wrote:
> >There is no log saying "avc granted load_policy",
> >instead, there is audit log "audit(1157498697.581:88): policy loaded 
> >auid=4294967295 ".
> Yes this is correct. This is the new way as of kernel 2.6.17. There was some
> overlap where an audit was in the policy and the kernel, but we only need one
> message. The audit2allow program should be updated to recognize the above as a
> load policy event.
I see, so avc.py should be fixed.
I wrote simple patch.

Yuichi Nakamura




--- avc.py.orig	2006-09-06 08:34:03.000000000 +0900
+++ avc.py	2006-09-06 10:06:26.000000000 +0900
@@ -354,6 +354,15 @@
                                 found = 1
                             else:
                                 dict.append(i)
+                                
+                    if not found:
+                        regexp = "audit\(\d+\.\d+:\d+\): policy loaded"
+                        m = re.match(regexp, line)
+                        if m !=None:
+                            found =1
+                            dict.append("load_policy")
+                            dict.append("granted")
+                        
                     if found:
                         self.translate(dict)
                         found = 0




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]