On Thu, 2006-03-16 at 12:52 -0500, Amy Griffis wrote:
The justification for this patch (mostly discussed offlist) was that
many users are only interested in using audit to log records from
SELinux but don't want to incur the performance penalty of syscall
auditing. Fixing the loginuid and allowing userspace messages in the
absence of syscall auditing should cover their requirements and allow
them to simply turn syscall auditing off.
This makes more sense to me. Further, it seems like someone should be
working on making the syscall audit processing more efficient so that
people aren't driven to disabling syscall auditing just because it is so
costly. Optimizing only for the users who don't need/want syscall
auditing ensures that it will always remain a niche feature with a small
user community.
--
Stephen Smalley
National Security Agency