On Wed, 2005-11-30 at 05:38 -0800, Steve G wrote:
>You should do
>
>audit2allow -l < /var/log/audit/audit.log
I would like to take this opportunity to point out that you should not be using
the audit logs directly. ausearch is the correct way to access the logs. I would
recommend:
ausearch -m avc,selinux_err | audit2allow -l
There's 3 reasons for this. 1) There may be more than 1 log file that needs to be
examined. ausearch automatically looks at all of them. You can restrict its
search by using the -ts & -te parameters. 2) Sometimes file names or sockets get
encoded and cannot be read without ausearch's interpretation...and 3) we may be
changing to binary log format at some point during fc5/6 time frame.
Hmm...this should likely get reflected in the audit2allow man page...
--
Stephen Smalley
National Security Agency