On Thu, 2005-05-26 at 09:31 +0300, George J. Jahchan wrote: > As you correctly mentioned, auditd worked by adding audit and audit_control to > the capability section of flask/access_vectors. > > Noticed that audit.log shows "avc: denied" kernel events that are not reported > in messages. Are these suppressed by the dontaudit rules in the policy? When auditd is running, the kernel sends audit messages to it and auditd writes them to /var/log/audit/audit.log per /etc/auditd.conf, so they do not appear in messages at all. When no auditd is running, audit messages are handled via the normal kernel logging mechanism, i.e. read by klogd which in turn sends them along to syslogd, which in turn writes them to /var/log/messages or elsewhere per /etc/syslog.conf. If a dontaudit rule exists, then SELinux won't generate an audit message at all for that denial, and it won't appear in any log. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
