Hi there. I have three systems running f13 and on one of those systems audit.log has not been rotated since July 20 when the system was first brought up with f13.
After some digging I found a reference to a file that can be run as a cron job to cause the log file to be rotated. (/usr/share/doc/audit-2.0.4/auditd.cron)
The two systems on which rotating the logs has been working are both in enforcing mode, the one that has not been rotating the log has enforcing=0
I do not remember doing anything else different as far as selinux goes on these three boxes. Could not find any reference to audit.log in /etc/logrotate.conf /etc/logrotate.d/* /etc/cron.daily/* or /etc/cron.weekly/* on any of the systems.
Any idea why one box out of three would behave differently? It is a worrisome difference.
Currently running the 2.6.34.6-47.fc13.i686.PAE kernel on the non-rotating system and one of the two others. But the behavior has not changed from the initial installation through all of the updates since then. All three systems are have 2.0.4-3.fc13 of audit, audit-libs and audit-libs-python installed.
BTW - great work on SELinux! It has improved a great deal over the past five years. The only reason I have one box in permissive mode is because it is running TWiki and I have not found time to make the changes needed to get selinux and twiki to play nice together.
Thanks,
Mike