audit 1.2.2 released
Steve Grubb
sgrubb at redhat.com
Tue May 16 17:23:32 UTC 2006
On Tuesday 16 May 2006 11:53, Linda Knippers wrote:
> His transcript was when running in permissive mode so won't you only get
> the avc deny once?
If its in permissive, you shouldn't get any failure that results in EPERM from
SE Linux. But on second look, this AVC has a success=yes, so maybe not the
smoking gun. If there was a corresponding AVC with success=no, then that
would be notable.
AFAICT, there are 2 places where an access decision is made, audit_netlink_ok
in kernel/audit.c. And the other place is selinux_nlmsg_lookup in
security/selinux/nlmsgtab.c. I think you'd want to patch your kernel to
printk its access decision results in both of those functions. That should
tell us something about what's going on.
-Steve
More information about the Linux-audit
mailing list