When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633b575609b741a1de7837223a2d9e1c34c ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com&gt; Cc: Al Viro <viro(a)zeniv.linux.org.uk&gt; Cc: Eric Paris <eparis(a)redhat.com&gt; Cc: linux-audit(a)redhat.com --- It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ("[AUDIT] clean up audit_receive_msg()") introduced this bug, so I think that this patch should also get the tag: Cc: <stable(a)kernel.org&gt; # v2.6.25+ Al and Eric, I'll leave that up to you two. Here's my test matrix showing where messages end up as a result of a call to libaudit's audit_log_user_avc_message(): | unpatched patched ----------------+-------------------------------- w/o audit=1 & | *dropped* syslog w/o auditd | | w/ audit=1 & | syslog syslog w/o auditd | | w/o audit=1 & | audit.log audit.log w/ auditd | | w/ audit=1 & | audit.log audit.log w/ auditd | Thanks! kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..f4f2773 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) int rc = 0; uid_t uid = from_kuid(&init_user_ns, current_uid()); - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; } -- 1.8.3.2