|
Not that this is a big deal, but is there a way to stop
audit2allow from processing and creating rules for audits that are ‘granted’?
I turned on auditing for a couple of rules so I can keep an
eye on domain transitions. That creates some entries in the audit log such as: “avc:
granted { transition } for pid=3409 ”. When I run audit2allow on that entry, audit2allow creates a
rule for that entry as if the entry were a ‘denied’ rather than a ‘granted’.
It came into being an issue when I was ignoring the allow transition entries,
and there was an actual ‘denied’ audit (hidden amongst the granted
transitions [for mls reasons]) that I was not catching when manually going
through the logs. Thanks again Jeff |
