On Tue, Feb 19, 2008 at 10:42:10PM -0500, [EMAIL PROTECTED] wrote: > On Wed, 20 Feb 2008 01:38:55 +1100, Nick Andrew said: > > + AVC refers to Access Vector Cache, a subsystem used by SELinux > > + to improve performance of the security checking by caching > > + previous access decisions. > > This paragraph can be dropped, as the reasons that SELinux denial messages > are tagged with 'avc' are mostly historical. If you want to expand on > anything > in here, explain that 'AVC' messages are interesting because they indicate > some sort of security rule denial.
Ok, if AVC is incidental then I don't need to mention it, and so don't need to define the acronym. > So - if you don't enable auditing, > your security messages end up in the kernel syslog. If you enable auditing, > they end up in the audit logs. Explaining *that* clearly would be a lot > more useful than explaining what avc originally stood for.. ;) How about this. I tried to explain what happens to audit messages. bool "Auditing support" depends on NET help - Enable auditing infrastructure that can be used with another - kernel subsystem, such as SELinux (which requires this for - logging of avc messages output). Does not do system-call - auditing without CONFIG_AUDITSYSCALL. + Enable an auditing infrastructure that can be used with another + kernel subsystem, such as Security-Enhanced Linux (SELinux), + which requires this option for logging of security related + messages. + + With this option, the kernel can use netlink to pass audit + messages to an audit daemon process. Otherwise, audit messages + are logged to syslog. + + See <http://www.nsa.gov/selinux/> for more information + on Security-Enhanced Linux. + + CONFIG_AUDITSYSCALL (see below) is also required for + system-call auditing. + + If unsure, say N. I'm puzzled about "end up in the kernel syslog". Looking at include/linux/audit.h it seems that they go nowhere: #ifdef CONFIG_AUDIT [...] #else #define audit_log(c,g,t,f,...) do { ; } while (0) #define audit_log_start(c,g,t) ({ NULL; }) #define audit_log_vformat(b,f,a) do { ; } while (0) #define audit_log_format(b,f,...) do { ; } while (0) #define audit_log_end(b) do { ; } while (0) #define audit_log_hex(a,b,l) do { ; } while (0) #define audit_log_untrustedstring(a,s) do { ; } while (0) #define audit_log_n_untrustedstring(a,n,s) do { ; } while (0) #define audit_log_d_path(b, p, d) do { ; } while (0) #define audit_enabled 0 #endif So it looks like if CONFIG_AUDIT is not defined then audit messages are ignored. Syslog is used by kernel/audit.c when there is an audit failure, which seems to be mainly if the userspace audit daemon is not running. Nick. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/