AVC messages and auditctl

Russell Coker russell at coker.com.au
Sun May 15 12:44:32 UTC 2005

Recently the AVC messages have been changed to not include the name of the 
executable as this is stored in the audit system.

However a consequence of this is that in the early stages of boot we can't 
find out which program caused a message.  This probably isn't a problem for 
the typical Fedora user (who uses targeted policy and has most of the boot 
scripts running in unconfined_t), but will cause problems for people who use 
the strict policy in it's most strict configuration and for people who want 
to develop an entirely new policy.

What's the recommended solution to this?  Can we get the audit functionality 
enabled through printk early in the boot process (IE in the first few lines 
of rc.sysinit)?

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list