On Sun, 2005-05-15 at 22:44 +1000, Russell Coker wrote: > Recently the AVC messages have been changed to not include the name of the > executable as this is stored in the audit system. > > However a consequence of this is that in the early stages of boot we can't > find out which program caused a message. This probably isn't a problem for > the typical Fedora user (who uses targeted policy and has most of the boot > scripts running in unconfined_t), but will cause problems for people who use > the strict policy in it's most strict configuration and for people who want > to develop an entirely new policy. > > What's the recommended solution to this? Can we get the audit functionality > enabled through printk early in the boot process (IE in the first few lines > of rc.sysinit)? The kernel defaults to using printk if no audit daemon is registered. But you need to boot with audit=1 to enable syscall auditing or run auditctl -e 1 or auditd very early to enable it. Dave Woodhouse has a patch to restore logging of the pid and comm to avc_audit(), which can be safely done (unlike the exe). We could upstream that patch possibly, as it reduces the impact of the change on users. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
