audit 1.2.2 released
Michael C Thompson
thompsmc at us.ibm.com
Tue May 16 20:38:20 UTC 2006
Steve Grubb wrote:
> On Tuesday 16 May 2006 11:53, Linda Knippers wrote:
>> His transcript was when running in permissive mode so won't you only get
>> the avc deny once?
>
> If its in permissive, you shouldn't get any failure that results in EPERM from
> SE Linux. But on second look, this AVC has a success=yes, so maybe not the
> smoking gun. If there was a corresponding AVC with success=no, then that
> would be notable.
>
> AFAICT, there are 2 places where an access decision is made, audit_netlink_ok
> in kernel/audit.c. And the other place is selinux_nlmsg_lookup in
> security/selinux/nlmsgtab.c. I think you'd want to patch your kernel to
> printk its access decision results in both of those functions. That should
> tell us something about what's going on.
>
> -Steve
Interesting factoid here for you Steve:
I just compiled auditctl from scratch, and the newly compiled binary got
the "Error sending rule list request" thing, even though I had been
using the /sbin/auditctl -l functionality for a long while prior.
Does this mean anything to you? or at least help narrow the search?
Mike
More information about the Linux-audit
mailing list