Re: [PATCH] audit=0 appears not to completely disable auditing
On Thursday 22 March 2007 17:45, Amy Griffis wrote:
When audit_enabled was first implemented, it was only intended to
turn
off syscall auditing, not _all_ auditing.
At that time, syscall auditing *was* all auditing. :)
This was so users could use audit for selinux messages without the
overhead
of syscall audit.
SE Linux has always been different and you shouldn't really consider it in the
auditing system for enable/disable. The reason its different is that it uses
audit as a transport mechanism and can happily use syslogs, too.
> The patch below solves this problem by checking audit_enabled
before
> creating an audit event.
If you want audit_enabled=0 to turn off audit completely, do you also
want to drop selinux messages?
No, the SE Linux folks want avc messages at all times unless the admin
specifically sets a rule to suppress them.
-Steve