Auditd & Strict Policy 1.19

Stephen Smalley sds at tycho.nsa.gov
Thu May 26 12:32:34 UTC 2005


On Thu, 2005-05-26 at 09:31 +0300, George J. Jahchan wrote:
> As you correctly mentioned, auditd worked by adding audit and audit_control to
> the capability section of flask/access_vectors.
> 
> Noticed that audit.log shows "avc:  denied" kernel events that are not reported
> in messages. Are these suppressed by the dontaudit rules in the policy?

When auditd is running, the kernel sends audit messages to it and auditd
writes them to /var/log/audit/audit.log per /etc/auditd.conf, so they do
not appear in messages at all.  When no auditd is running, audit
messages are handled via the normal kernel logging mechanism, i.e. read
by klogd which in turn sends them along to syslogd, which in turn writes
them to /var/log/messages or elsewhere per /etc/syslog.conf.

If a dontaudit rule exists, then SELinux won't generate an audit message
at all for that denial, and it won't appear in any log.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list