audit log question
LC Bruzenak
lenny at magitekltd.com
Wed Jul 23 21:27:39 UTC 2008
Using MLS permissive policy selinux-policy-mls-3.3.1-77.fc9.noarch.
I'm looking at some AVCs generated when I do a ausearch as root.
I thought it was because the root context was set at SystemLow.
I looked at the logs and all are set at SystemHigh except the last 4
(current audit.log + audit.log.[1-3]).
[root at hugo sbin]# ls -al /var/log/audit/audit.log.[1-6]
-r-------- 1 root root 5243230 2008-07-23
15:34 /var/log/audit/audit.log.1
-r-------- 1 root root 5242915 2008-07-22
12:36 /var/log/audit/audit.log.2
-r-------- 1 root root 5242932 2008-07-22
12:36 /var/log/audit/audit.log.3
-r-------- 1 root root 5243017 2008-06-27
12:33 /var/log/audit/audit.log.4
-r-------- 1 root root 5242977 2008-06-27
12:16 /var/log/audit/audit.log.5
-r-------- 1 root root 5242921 2008-06-27
11:52 /var/log/audit/audit.log.6
[root at hugo sbin]# ls -alZ /var/log/audit/audit.log.[1-6]
-r-------- root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.1
-r-------- root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.2
-r-------- root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.3
-r-------- root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.4
-r-------- root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.5
-r-------- root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.6
Is this correct (and if so, why)?
Maybe I did something...
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list