SELinux auditing can't be disabled?

Keith G. Robertson-Turner fedora-forums at genesis-x.nildram.co.uk
Sat Jun 5 21:43:19 UTC 2004


On Sat, 05 Jun 2004 14:11:36 +0100, Keith G. Robertson-Turner wrote:

> I switched to a stock kernel, in order to reverse the 8K stack patch for
> compatibility with nVidia's broken driver.

> However, between two different kernels (2.6.5-1.358 and 2.6.6-rc3-bk3)
> with nearly identical configs, something has changed to produce a tonne of
> garbage being spewed to the console (and /var/log/messages) during bootup.

I tried a slightly different approach this time, and it worked!

Instead of doing a make rpm on the kernel source, I simply replaced the
default i686 config in the SRPM sources with the new one I'd just
configured, and did a rpmbuild -ba --target i686 on the original spec
file.

The resulting kernel still has exactly the same config as before (I ran
diffs against a saved copy, /proc/config.gz and /boot/config-`uname -r`),
but no verbose audit logging during bootup??? I don't see anything in the
original spec file that can account for that - really weird.

Also I think I've nailed the specific component responsible, it is the
Light-weight Auditing Framework, introduced in 2.6.6, which enables
syscall auditing.

http://lwn.net/Articles/73623/

The default behaviour is verbose logging, and "turning it off" is a matter
of creating a new audit policy. This is all brand new, bleeding-edge
stuff, with zero documentation and only very basic userland tools, so
people testing 2.6.6 better have plenty of diskspace for their logs, since
I can find no way of turning it off (other than disabling syslog).

The provided spec applies all the same patches in the rpmbuild, as I do in
the manual make rpm build, yet it looks like the result is actually a
2.6.5 kernel rather than 2.6.6-rc3-bk3 - as it it should be if all the
patches are applied ??? This is the only explanation I can come up with
for why the syscall logging stuff is missing in the spec build, and yet I
don't see how it's happening.

/me puts on a *very* strong pot of coffee.

Anyway, it's ... er ... fixed - I guess.

-
K.  





More information about the fedora-list mailing list