On Tuesday 16 May 2006 11:53, Linda Knippers wrote: > His transcript was when running in permissive mode so won't you only get > the avc deny once?
If its in permissive, you shouldn't get any failure that results in EPERM from SE Linux. But on second look, this AVC has a success=yes, so maybe not the smoking gun. If there was a corresponding AVC with success=no, then that would be notable. AFAICT, there are 2 places where an access decision is made, audit_netlink_ok in kernel/audit.c. And the other place is selinux_nlmsg_lookup in security/selinux/nlmsgtab.c. I think you'd want to patch your kernel to printk its access decision results in both of those functions. That should tell us something about what's going on. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
