[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch] fix syscall speedup patch mips typo

Steve Grubb wrote:
On Wednesday 15 March 2006 12:39, Linda Knippers wrote:
When is a SYSCALL_PARTIAL emitted, vs a SYSCALL?

Whenever there are no audit rules loaded and an AVC message is triggered. We just grab what's readily available which means we don't have the arch, syscall, or args. Everything else should be there.

I don't understand why this record is a good idea.  It seems to
duplicate alot of information that is already in the AVC message
and if someone wanted the syscall to be audited, they'd audit it.

type=AVC msg=audit(0.000:45): avc: denied { search } for pid=1690 comm="sh" name="/" dev=devpts ino=1 scontext=system_u:system_r:insmod_t:s0-s15:c0.c255 tcontext=system_u:object_r:devpts_t:s15:c0.c255 tclass=dir type=UNKNOWN[1310] msg=audit(0.000:45): success=yes exit=3 items=0 pid=1690 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:insmod_t:s0-s15:c0.c255

The only value I can see in the second record is that it tells me I'm
in permissive mode because the syscall succeeded, but I don't think
that's a good enough reason to have the record.

-- ljk

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]