On Mon, 2005-01-03 at 11:52, Steve G wrote: > This is good to know. I am working on the audit daemon and noticed that avc > messages usually wind up in syslog *even if* the audit daemon is running. I see > "real" audit messages going to /var/log/audit.log and scrolling dbus avc messages > in /var/log/messages both at the same time. > > Not sure how the kernel decides where to send each of these...but they do go to > different places on my machine. dbusd avc audit messages are generated by libselinux using a callback function provided by dbusd, and dbusd likely is just using syslog() rather than communicating with the audit daemon. The kernel audit framework isn't involved in that path. You'll need to change the callback function provided by dbusd to instead send an AUDIT_USER message with the audit data (or alternatively, have it talk directly to the audit daemon). For the kernel, the relevant code is audit_log_drain() in kernel/audit.c. That checks whether audit_pid has been set, and if so, it sends the audit message to that process; otherwise, it ends up calling printk to send via klogd. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
