Latest kernel (2356), avc's on hwclock
Stephen Smalley
sds at tycho.nsa.gov
Mon Jul 10 20:11:30 UTC 2006
On Mon, 2006-07-10 at 08:05 -0700, Tom London wrote:
> On 7/7/06, Ian Pilcher <i.pilcher at comcast.net> wrote:
> > Stephen Smalley wrote:
> > > Looks like the Fedora hwclock is instrumented to generate an audit
> > > record, but policy doesn't yet allow it to do so. These capability
> > > checks used to be silent (no auditing) since they occur on netlink recv,
> > > but a recent patch has enabled SELinux to generate audit messages on the
> > > netlink recv capability checks. So we can expect these types of denials
> > > to show up now. Should be allowed in this case.
> >
> > So it's generating an audit message, because it wasn't allowed to
> > generate an audit message?
> >
> > I've only had half a beer...
> >
> > --
> > ========================================================================
> > Ian Pilcher i.pilcher at comcast.net
> > ========================================================================
> >
> A slight side question:
>
> hwclock seems to be producing audit messages either before or after
> auditd has started/exited. I see a message on shutdown, but it appears
> not to be logged anywhere.
>
> Does that meet auditing requirements?
Something to ask over on linux-audit, not here.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list