On Mon, 02 Apr 2007 14:57:11 EDT, Amy Griffis said: > Steve Grubb wrote: [Thu Mar 22 2007, 05:55:45PM EDT] > > > If you want audit_enabled=0 to turn off audit completely, do you also > > > want to drop selinux messages? > > > > No, the SE Linux folks want avc messages at all times unless the admin > > specifically sets a rule to suppress them. > > Okay, makes sense. Do you think audit should return an error if > someone tries to add a rule when audit_enabled=0 ? Yes, probably. You'd kind of think that the human doing the auditing would like a large and loud complaint if auditing had been accidentally disabled. The only question is what behavior it should have if a site (for whatever reason) decides to first load all the rules, then enable auditing (possibly to avoid spurious complaints about processes because not all the rules have been loaded yet).
Description: PGP signature