On Monday 04 August 2008 18:49:42 LC Bruzenak wrote: > After reading Steve's info about the "comm" field being clipped at 16 > chars, I was surprised to see a longer string inside the audit-viewer > "comm" field.
If the event below is where it came from, then it originated in user space and is not subject to the 16 byte kernel limitation. > The same event in ausearch shows a NULL "comm" field, but the rest of > the info lines up with the GUI: The user space AVCs are FUBAR and I told the SE Linux people that they are not following the audit logging convention. They need to fix the code in libselinux. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
