[patch] fix syscall speedup patch mips typo
Linda Knippers
linda.knippers at hp.com
Wed Mar 15 19:31:13 UTC 2006
Steve Grubb wrote:
> On Wednesday 15 March 2006 12:39, Linda Knippers wrote:
>> When is a SYSCALL_PARTIAL emitted, vs a SYSCALL?
>
> Whenever there are no audit rules loaded and an AVC message is triggered. We
> just grab what's readily available which means we don't have the arch,
> syscall, or args. Everything else should be there.
I don't understand why this record is a good idea. It seems to
duplicate alot of information that is already in the AVC message
and if someone wanted the syscall to be audited, they'd audit it.
type=AVC msg=audit(0.000:45): avc: denied { search } for pid=1690
comm="sh" name="/" dev=devpts ino=1
scontext=system_u:system_r:insmod_t:s0-s15:c0.c255
tcontext=system_u:object_r:devpts_t:s15:c0.c255 tclass=dir
type=UNKNOWN[1310] msg=audit(0.000:45): success=yes exit=3 items=0
pid=1690 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="sh" exe="/bin/bash"
subj=system_u:system_r:insmod_t:s0-s15:c0.c255
The only value I can see in the second record is that it tells me I'm
in permissive mode because the syscall succeeded, but I don't think
that's a good enough reason to have the record.
-- ljk
More information about the Linux-audit
mailing list