Steve Grubb wrote:
On Wednesday 15 March 2006 12:39, Linda Knippers wrote:
> When is a SYSCALL_PARTIAL emitted, vs a SYSCALL?
Whenever there are no audit rules loaded and an AVC message is triggered. We
just grab what's readily available which means we don't have the arch,
syscall, or args. Everything else should be there.
I don't understand why this record is a good idea. It seems to
duplicate alot of information that is already in the AVC message
and if someone wanted the syscall to be audited, they'd audit it.
type=AVC msg=audit(0.000:45): avc: denied { search } for pid=1690
comm="sh" name="/" dev=devpts ino=1
scontext=system_u:system_r:insmod_t:s0-s15:c0.c255
tcontext=system_u:object_r:devpts_t:s15:c0.c255 tclass=dir
type=UNKNOWN[1310] msg=audit(0.000:45): success=yes exit=3 items=0
pid=1690 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="sh" exe="/bin/bash"
subj=system_u:system_r:insmod_t:s0-s15:c0.c255
The only value I can see in the second record is that it tells me I'm
in permissive mode because the syscall succeeded, but I don't think
that's a good enough reason to have the record.
-- ljk