On Wed, 2006-03-15 at 15:14 -0500, Steve Grubb wrote:
> I can understand wanting to optimize the code when there are no
audit
> rules (although one could optimize it by disabling audit)
No because then you lose the avc messages going to the audit system.
You should be able to disable syscall auditing while leaving the base
audit framework enabled, so you'd still get avc messages, just no
syscall audit messages. It used to work that way, don't know for
certain for the current situation. In fact, unless you enabled syscall
auditing via audit=1 or auditctl, it used to be the case that you would
only get avc messages.
--
Stephen Smalley
National Security Agency