On Tue, 2004-12-14 at 17:06, Mounir Bsaibes wrote:
> What I have currently, on disk full the auditd will notify the kernel
> which sets up a flag "disk_full_flag". During audit_log_start
if the
> disk_full_flag is set the process will be queued in a wait queue until
> auditd or auditctl reset the disk_full_flag,
> I can provide more details if needed. This is the general method I
am
> going to use to cover this CAPP requirement.
> Mounir
SELinux calls the audit subsystem from hard irq (e.g.
file_send_sigiotask) and at times when kernel locks are held.
So what is a better solution, just kill
the process?
I have changed the subject of this reply
to make it more meaningful to this discussion and to separate it from
the audit in vfs discussion.
Stephen Smalley <sds@epoch.ncsc.mil> Sent by: linux-audit-bounces@redhat.com
12/15/2004 10:08 AM
Please respond to
Linux Audit Discussion
To
Linux Audit Discussion <linux-audit@redhat.com>
cc
Subject
Re: best way to audit in
vfs
On Tue, 2004-12-14 at 17:06, Mounir Bsaibes wrote:
> What I have currently, on disk full the auditd will notify the kernel
> which sets up a falg "disk_full_flag". During audit_log_start
if the
> disk_full_flag is set the process will be queued in a wait queue until
> auditd or auditctl reset the disk_full_flag,
> I can provide more details if needed. This is the general method I
am
> going to use to cover this CAPP requirement.
> Mounir
SELinux calls the audit subsystem from hard irq (e.g.
file_send_sigiotask) and at times when kernel locks are held.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit