Re: audit 1.2.2 released
Steve Grubb wrote:
On Tuesday 16 May 2006 11:53, Linda Knippers wrote:
> His transcript was when running in permissive mode so won't you only get
> the avc deny once?
If its in permissive, you shouldn't get any failure that results in EPERM from
SE Linux. But on second look, this AVC has a success=yes, so maybe not the
smoking gun. If there was a corresponding AVC with success=no, then that
would be notable.
AFAICT, there are 2 places where an access decision is made, audit_netlink_ok
in kernel/audit.c. And the other place is selinux_nlmsg_lookup in
security/selinux/nlmsgtab.c. I think you'd want to patch your kernel to
printk its access decision results in both of those functions. That should
tell us something about what's going on.
-Steve
Interesting factoid here for you Steve:
I just compiled auditctl from scratch, and the newly compiled binary got
the "Error sending rule list request" thing, even though I had been
using the /sbin/auditctl -l functionality for a long while prior.
Does this mean anything to you? or at least help narrow the search?
Mike