AVC messages and auditctl
Stephen Smalley
sds at tycho.nsa.gov
Mon May 16 11:35:01 UTC 2005
On Sun, 2005-05-15 at 22:44 +1000, Russell Coker wrote:
> Recently the AVC messages have been changed to not include the name of the
> executable as this is stored in the audit system.
>
> However a consequence of this is that in the early stages of boot we can't
> find out which program caused a message. This probably isn't a problem for
> the typical Fedora user (who uses targeted policy and has most of the boot
> scripts running in unconfined_t), but will cause problems for people who use
> the strict policy in it's most strict configuration and for people who want
> to develop an entirely new policy.
>
> What's the recommended solution to this? Can we get the audit functionality
> enabled through printk early in the boot process (IE in the first few lines
> of rc.sysinit)?
The kernel defaults to using printk if no audit daemon is registered.
But you need to boot with audit=1 to enable syscall auditing or run
auditctl -e 1 or auditd very early to enable it.
Dave Woodhouse has a patch to restore logging of the pid and comm to
avc_audit(), which can be safely done (unlike the exe). We could
upstream that patch possibly, as it reduces the impact of the change on
users.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list