audit log question

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* audit log question
@ 2008-07-23 21:27 LC Bruzenak
  2008-07-23 21:53 ` LC Bruzenak
  0 siblings, 1 reply; 2+ messages in thread
From: LC Bruzenak @ 2008-07-23 21:27 UTC (permalink / raw)
  To: Linux Audit

Using MLS permissive policy selinux-policy-mls-3.3.1-77.fc9.noarch.

I'm looking at some AVCs generated when I do a ausearch as root.
I thought it was because the root context was set at SystemLow.

I looked at the logs and all are set at SystemHigh except the last 4
(current audit.log + audit.log.[1-3]).

[root@hugo sbin]# ls -al /var/log/audit/audit.log.[1-6]
-r-------- 1 root root 5243230 2008-07-23
15:34 /var/log/audit/audit.log.1
-r-------- 1 root root 5242915 2008-07-22
12:36 /var/log/audit/audit.log.2
-r-------- 1 root root 5242932 2008-07-22
12:36 /var/log/audit/audit.log.3
-r-------- 1 root root 5243017 2008-06-27
12:33 /var/log/audit/audit.log.4
-r-------- 1 root root 5242977 2008-06-27
12:16 /var/log/audit/audit.log.5
-r-------- 1 root root 5242921 2008-06-27
11:52 /var/log/audit/audit.log.6
[root@hugo sbin]# ls -alZ /var/log/audit/audit.log.[1-6]
-r--------  root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.1
-r--------  root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.2
-r--------  root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.3
-r--------  root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.4
-r--------  root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.5
-r--------  root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.6


Is this correct (and if so, why)?
Maybe I did something...

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: audit log question
  2008-07-23 21:27 audit log question LC Bruzenak
@ 2008-07-23 21:53 ` LC Bruzenak
  0 siblings, 0 replies; 2+ messages in thread
From: LC Bruzenak @ 2008-07-23 21:53 UTC (permalink / raw)
  To: Linux Audit

I just did a relabel/reboot and they all went to SystemHigh (what I'd
expect).

So I'm not sure how they were in that state to begin with, but I'll ask
again if it happens later.

Thx,
LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-07-23 21:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-23 21:27 audit log question LC Bruzenak
2008-07-23 21:53 ` LC Bruzenak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox