AVC messages and auditctl

Stephen Smalley sds at tycho.nsa.gov
Mon May 16 11:35:01 UTC 2005

On Sun, 2005-05-15 at 22:44 +1000, Russell Coker wrote:
> Recently the AVC messages have been changed to not include the name of the 
> executable as this is stored in the audit system.
> However a consequence of this is that in the early stages of boot we can't 
> find out which program caused a message.  This probably isn't a problem for 
> the typical Fedora user (who uses targeted policy and has most of the boot 
> scripts running in unconfined_t), but will cause problems for people who use 
> the strict policy in it's most strict configuration and for people who want 
> to develop an entirely new policy.
> What's the recommended solution to this?  Can we get the audit functionality 
> enabled through printk early in the boot process (IE in the first few lines 
> of rc.sysinit)?

The kernel defaults to using printk if no audit daemon is registered.
But you need to boot with audit=1 to enable syscall auditing or run
auditctl -e 1 or auditd very early to enable it.  

Dave Woodhouse has a patch to restore logging of the pid and comm to
avc_audit(), which can be safely done (unlike the exe).  We could
upstream that patch possibly, as it reduces the impact of the change on

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list