AVC messages and auditctl

[Stephen Smalley]

On Sun, 2005-05-15 at 22:44 +1000, Russell Coker wrote:
> Recently the AVC messages have been changed to not include the name of the 
> executable as this is stored in the audit system.
> 
> However a consequence of this is that in the early stages of boot we can't 
> find out which program caused a message.  This probably isn't a problem for 
> the typical Fedora user (who uses targeted policy and has most of the boot 
> scripts running in unconfined_t), but will cause problems for people who use 
> the strict policy in it's most strict configuration and for people who want 
> to develop an entirely new policy.
> 
> What's the recommended solution to this?  Can we get the audit functionality 
> enabled through printk early in the boot process (IE in the first few lines 
> of rc.sysinit)?

The kernel defaults to using printk if no audit daemon is registered.
But you need to boot with audit=1 to enable syscall auditing or run
auditctl -e 1 or auditd very early to enable it.  

Dave Woodhouse has a patch to restore logging of the pid and comm to
avc_audit(), which can be safely done (unlike the exe).  We could
upstream that patch possibly, as it reduces the impact of the change on
users.

-- 
Stephen Smalley
National Security Agency