On Fri, 06 Oct 2006 10:29:55 -0400 Stephen Smalley wrote:
I am playing with FC6-test3. I installed audit, and found that type=PATH record does not appear in audit.log, when access is denied by SELinux.
Will type=PATH record disappear in FC6?
If you define any audit rules via auditctl (or put them into /etc/audit/audit.rules for loading upon startup), then you should see them again. There is an optimization in the audit system to disable collection of audit data like paths if there are no audit rules to avoid the overhead associated with such collection. This means you need at least one audit rule defined to get that information.
I have tried it now. PATH entry appeared by adding dummy audit rule. Thank you.
Yuichi