Head-banging targets, please
Stephen Smalley
sds at epoch.ncsc.mil
Mon Jan 3 17:01:36 UTC 2005
On Mon, 2005-01-03 at 11:52, Steve G wrote:
> This is good to know. I am working on the audit daemon and noticed that avc
> messages usually wind up in syslog *even if* the audit daemon is running. I see
> "real" audit messages going to /var/log/audit.log and scrolling dbus avc messages
> in /var/log/messages both at the same time.
>
> Not sure how the kernel decides where to send each of these...but they do go to
> different places on my machine.
dbusd avc audit messages are generated by libselinux using a callback
function provided by dbusd, and dbusd likely is just using syslog()
rather than communicating with the audit daemon. The kernel audit
framework isn't involved in that path. You'll need to change the
callback function provided by dbusd to instead send an AUDIT_USER
message with the audit data (or alternatively, have it talk directly to
the audit daemon).
For the kernel, the relevant code is audit_log_drain() in
kernel/audit.c. That checks whether audit_pid has been set, and if so,
it sends the audit message to that process; otherwise, it ends up
calling printk to send via klogd.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list