Have you tried the "-r" option of auditctl ? This would be something similar to the kernel printk_ratelimit(). The default is 0, you should increase it to a positive value representing a messages/second limit. Guido On Sun, 2009-12-13 at 12:23 -0800, Justin P. Mattock wrote: > On 12/13/09 11:40, Guido Trentalancia wrote: > > Have you tried tuning auditd and its dispatcher which could be audispd ? > > > > So for example, try feeding audispd with the following options: > > > > q_depth: increase it from its default value (which is 80 on Redhat's > > recent auditd) > > priority_boost = 0 > > > > Finally, if things don't improve, you could also try: > > > > overflow_action = suspend > > > > Other than this I don't know how to help. Good luck. > > > > > > well right now I dont really use auditd i.g. > the libraries are there but the daemon is off. > (I am not using fedora/redhat). > > In any case it's not a worry because I can go ahead and add the > allow rules, moreover the main issue is the spamming > of log message which might/could result in some buffer thing > reason for wanting info if there is a mechanism > like printk_ratelimit etc.. for Xorg.0.log > > Justin P. Mattock > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
