No type=PATH record in FC6 audit? - selinux - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

No type=PATH record in FC6 audit?

FC5, SELinux strict, and kickstart

SELinux Symposium CFP extended

Yuichi Nakamura

Friday, 6 October 2006 Fri, 6 Oct '06

9:09 a.m.

Hi, I am playing with FC6-test3. I installed audit, and found that type=PATH record does not appear in audit.log, when access is denied by SELinux. Will type=PATH record disappear in FC6? Yuichi Nakamura

Reply

Show replies by date

Stephen Smalley

Friday, 6 October Fri, 6 Oct

9:29 a.m.

On Fri, 2006-10-06 at 23:09 +0900, Yuichi Nakamura wrote:

Hi, I am playing with FC6-test3. I installed audit, and found that type=PATH record does not appear in audit.log, when access is denied by SELinux. Will type=PATH record disappear in FC6?

If you define any audit rules via auditctl (or put them into /etc/audit/audit.rules for loading upon startup), then you should see them again. There is an optimization in the audit system to disable collection of audit data like paths if there are no audit rules to avoid the overhead associated with such collection. This means you need at least one audit rule defined to get that information. -- Stephen Smalley National Security Agency

Reply

Yuichi Nakamura

Monday, 9 October Mon, 9 Oct

7:02 p.m.

On Fri, 06 Oct 2006 10:29:55 -0400 Stephen Smalley wrote:

> I am playing with FC6-test3. > I installed audit, > and found that type=PATH record does not appear in audit.log, > when access is denied by SELinux. > > Will type=PATH record disappear in FC6? If you define any audit rules via auditctl (or put them into /etc/audit/audit.rules for loading upon startup), then you should see them again. There is an optimization in the audit system to disable collection of audit data like paths if there are no audit rules to avoid the overhead associated with such collection. This means you need at least one audit rule defined to get that information.

I have tried it now. PATH entry appeared by adding dummy audit rule. Thank you. Yuichi

Reply

Steve G

Friday, 6 October Fri, 6 Oct

11:12 a.m.

Will type=PATH record disappear in FC6?

It is there, however we loose that record unless you have audit rules loaded. This was part of some performance optimizations of the audit system so that it can be on all the time for setroubleshootd. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

Reply

6407

days inactive

6411

days old

selinux@lists.fedoraproject.org

Manage subscription

3 comments

4 participants

tags (0)

participants (4)

Stephen Smalley
Steve G
Yuichi Nakamura
Yuichi Nakamura