Re: audit messages when there's no audit daemon
On Wed, 2005-06-22 at 06:56 -0400, Steve Grubb wrote:
> Why isn't audit disabled at this point?
Which program would be responsible for disabling the audit system?
init?
I was thinking that either auditd should be running or the audit system
should have been disabled.
Also, there are actions that occur on shutdown that SE Linux people
need to
see in order to correct policy. So, we can't affect AVC messages including
USER_AVC.
So we should exempt USER_AVC messages from the patch which discards user
messages when audit_enabled == 0? I can do that in a new kernel build.
--
dwmw2