Possibly wrong audit messages
Steve Grubb
sgrubb at redhat.com
Mon Jun 12 12:51:42 UTC 2006
On Monday 12 June 2006 08:36, Glauber de Oliveira Costa wrote:
> If this is really the expected behaviour, sorry for the bogus report.
The 2.6.17 kernel, which is not released, changes this behavior so that it
generates an event that looks something like this:
type=MAC_CONFIG_CHANGE msg=audit(1149610548.301:384): bool=user_ping
val=0 old_val=1 auid=501
The messages you are seeing comes from SE Linux policy which can be changed
once this patch is in an official kernel. You would still see an event for
each boolean that was set/reset. If policy does not get changed, you will see
2 events for each set/reset.
-Steve
More information about the Linux-audit
mailing list