On Mon, 2010-02-22 at 12:39 -0500, Alan Rouse wrote: > Stephen wrote: > > Hmm...enabled=0, i.e. disabled. > > Might need to boot with audit=1 on the kernel command line then. > > Or enable auditd (chkconfig auditd on). > > audit=1 on the kernel command line doesn't change things. auditctl -s still says enabled=0. > Same for "chkconfig auditd on" and reboot. > > I've installed the latest refpolicy from the tresys source repository. Attached is the audit.log after booting that policy (init_upstart --> on) You need to perform a restorecon -R /dev from /etc/rc.d/rc.sysinit so that the tmpfs /dev mount is properly labeled. File a bug against whatever package owns that file in OpenSUSE (in Fedora, it is the initscripts rpm). You should also perform a complete filesystem relabel to ensure that all file labels are correct for the latest refpolicy. There are SYSCALL records in your latest audit.log, so you have enabled auditing now. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
