Steve Grubb wrote:
> On Wednesday 15 March 2006 12:39, Linda Knippers wrote:
>
>> When is a SYSCALL_PARTIAL emitted, vs a SYSCALL?
>
> Whenever there are no audit rules loaded and an AVC message is
> triggered. We just grab what's readily available which means we don't
> have the arch, syscall, or args. Everything else should be there.
I also don't understand how this is related to improving performance
when there are no audit rules. It seems like it doubles the cost of
an AVC message.
-- ljk