[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch] fix syscall speedup patch mips typo

Stephen Smalley wrote:
On Wed, 2006-03-15 at 15:14 -0500, Steve Grubb wrote:
I can understand wanting to optimize the code when there are no audit
rules (although one could optimize it by disabling audit)
No because then you lose the avc messages going to the audit system.

You should be able to disable syscall auditing while leaving the base
audit framework enabled, so you'd still get avc messages, just no
syscall audit messages.  It used to work that way, don't know for
certain for the current situation.  In fact, unless you enabled syscall
auditing via audit=1 or auditctl, it used to be the case that you would
only get avc messages.

When I disable syscall auditing via auditctl, I get the avc messages
in the audit log, but I also occasionally get the partial record, which
shows up for me as UNKNOWN because my user-space tools are old.

type=AVC msg=audit(1142454769.018:874): avc: denied { read } for pid=23886 comm="lpq" name="lpoptions" dev=dm-0 ino=4523611 scontext=system_u:system_r:initrc_t:s15:c0.c255 tcontext=root:object_r:cupsd_etc_t:s0 tclass=file type=AVC msg=audit(0.000:765): avc: denied { use } for pid=9321 comm="bash" name="3" dev=devpts ino=5 scontext=system_u:system_r:initrc_t:s15:c0.c255 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c255 tclass=fd type=UNKNOWN[1310] msg=audit(0.000:765): success=yes exit=1 items=0 pid=9321 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 comm="bash" exe="/bin/bash" subj=system_u:system_r:initrc_t:s15:c0.c255
type=AVC_PATH msg=audit(0.000:765):  path="/dev/pts/3"

When we get a partial record, the timestamp and serial number are wrong.

-- ljk

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]