Steve Grubb wrote:
On Tuesday 16 May 2006 11:53, Linda Knippers wrote:
His transcript was when running in permissive mode so won't you only get
the avc deny once?
If its in permissive, you shouldn't get any failure that results in EPERM from
SE Linux. But on second look, this AVC has a success=yes, so maybe not the
smoking gun. If there was a corresponding AVC with success=no, then that
would be notable.
AFAICT, there are 2 places where an access decision is made, audit_netlink_ok
in kernel/audit.c. And the other place is selinux_nlmsg_lookup in
security/selinux/nlmsgtab.c. I think you'd want to patch your kernel to
printk its access decision results in both of those functions. That should
tell us something about what's going on.
-Steve
Interesting factoid here for you Steve:
I just compiled auditctl from scratch, and the newly compiled binary got
the "Error sending rule list request" thing, even though I had been
using the /sbin/auditctl -l functionality for a long while prior.
Does this mean anything to you? or at least help narrow the search?
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
