Stephen Smalley wrote:
On Wed, 2006-03-15 at 15:14 -0500, Steve Grubb wrote:
>> I can understand wanting to optimize the code when there are no audit
>> rules (although one could optimize it by disabling audit)
> No because then you lose the avc messages going to the audit system.
You should be able to disable syscall auditing while leaving the base
audit framework enabled, so you'd still get avc messages, just no
syscall audit messages. It used to work that way, don't know for
certain for the current situation. In fact, unless you enabled syscall
auditing via audit=1 or auditctl, it used to be the case that you would
only get avc messages.
When I disable syscall auditing via auditctl, I get the avc messages
in the audit log, but I also occasionally get the partial record, which
shows up for me as UNKNOWN because my user-space tools are old.
type=AVC msg=audit(1142454769.018:874): avc: denied { read } for
pid=23886 comm="lpq" name="lpoptions" dev=dm-0 ino=4523611
scontext=system_u:system_r:initrc_t:s15:c0.c255
tcontext=root:object_r:cupsd_etc_t:s0 tclass=file
type=AVC msg=audit(0.000:765): avc: denied { use } for pid=9321
comm="bash" name="3" dev=devpts ino=5
scontext=system_u:system_r:initrc_t:s15:c0.c255
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c255 tclass=fd
type=UNKNOWN[1310] msg=audit(0.000:765): success=yes exit=1 items=0
pid=9321 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts3 comm="bash" exe="/bin/bash"
subj=system_u:system_r:initrc_t:s15:c0.c255
type=AVC_PATH msg=audit(0.000:765): path="/dev/pts/3"
When we get a partial record, the timestamp and serial number are wrong.
-- ljk