On 02/15/2013 01:44 PM, Luis Ressel wrote:
Again, you're right. On this boot, dontaudit rules were actually
enabled. Now, here's another log where they are disabled again.
This line from your log file:
audit_printk_skb: 643 callbacks suppressed
indicates that you are hitting the printk ratelimit (to prevent flooding
of syslog) and therefore dropping messages.
You could apply the attached patch or something like it to disable the
printk ratelimit on audit messages.
However, you might want to first fix some of the obvious denials in your
policy. The rlimitinh, siginh, and noatsecure ones can generally be
ignored. But you are getting various other denials that likely should
be allowed. Adding the unconfined module to your policy would
automatically eliminate any denials for the kernel or init domains.
diff --git a/kernel/audit.c b/kernel/audit.c
index d596e53..fdcfe1d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -390,10 +390,7 @@ static void audit_printk_skb(struct sk_buff *skb)
char *data = nlmsg_data(nlh);
if (nlh->nlmsg_type != AUDIT_EOE) {
- if (printk_ratelimit())
- printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
- else
- audit_log_lost("printk limit exceeded\n");
+ printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
}
audit_hold_skb(skb);
