avc messages getting separated
Steve Grubb
sgrubb at redhat.com
Sun Mar 5 17:47:32 UTC 2006
On Sunday 05 March 2006 11:58, Linda Knippers wrote:
> Do you recall why it should never happen?
Because you have this disembodied information that is not correlated with the
avc. (yes there is a serial number that ties them together, but we agreed a
long time ago that everything with the same serial number comes out in a
group with nothing in between.) The avc should mark the context auditable and
add to what gets emitted at syscall exit.
The other case for avcs is when you have an avc off of an interrupt. In this
case, there is no syscall, so it should be an avc standing alone.
-Steve
More information about the Linux-audit
mailing list