[patch] fix syscall speedup patch mips typo
Linda Knippers
linda.knippers at hp.com
Wed Mar 15 20:37:16 UTC 2006
Stephen Smalley wrote:
> On Wed, 2006-03-15 at 15:14 -0500, Steve Grubb wrote:
>>> I can understand wanting to optimize the code when there are no audit
>>> rules (although one could optimize it by disabling audit)
>> No because then you lose the avc messages going to the audit system.
>
> You should be able to disable syscall auditing while leaving the base
> audit framework enabled, so you'd still get avc messages, just no
> syscall audit messages. It used to work that way, don't know for
> certain for the current situation. In fact, unless you enabled syscall
> auditing via audit=1 or auditctl, it used to be the case that you would
> only get avc messages.
When I disable syscall auditing via auditctl, I get the avc messages
in the audit log, but I also occasionally get the partial record, which
shows up for me as UNKNOWN because my user-space tools are old.
type=AVC msg=audit(1142454769.018:874): avc: denied { read } for
pid=23886 comm="lpq" name="lpoptions" dev=dm-0 ino=4523611
scontext=system_u:system_r:initrc_t:s15:c0.c255
tcontext=root:object_r:cupsd_etc_t:s0 tclass=file
type=AVC msg=audit(0.000:765): avc: denied { use } for pid=9321
comm="bash" name="3" dev=devpts ino=5
scontext=system_u:system_r:initrc_t:s15:c0.c255
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c255 tclass=fd
type=UNKNOWN[1310] msg=audit(0.000:765): success=yes exit=1 items=0
pid=9321 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts3 comm="bash" exe="/bin/bash"
subj=system_u:system_r:initrc_t:s15:c0.c255
type=AVC_PATH msg=audit(0.000:765): path="/dev/pts/3"
When we get a partial record, the timestamp and serial number are wrong.
-- ljk
More information about the Linux-audit
mailing list