audit log question

audit log question

[LC Bruzenak]

Using MLS permissive policy selinux-policy-mls-3.3.1-77.fc9.noarch.

I'm looking at some AVCs generated when I do a ausearch as root.
I thought it was because the root context was set at SystemLow.

I looked at the logs and all are set at SystemHigh except the last 4
(current audit.log + audit.log.[1-3]).

[root@hugo sbin]# ls -al /var/log/audit/audit.log.[1-6]
-r-------- 1 root root 5243230 2008-07-23
15:34 /var/log/audit/audit.log.1
-r-------- 1 root root 5242915 2008-07-22
12:36 /var/log/audit/audit.log.2
-r-------- 1 root root 5242932 2008-07-22
12:36 /var/log/audit/audit.log.3
-r-------- 1 root root 5243017 2008-06-27
12:33 /var/log/audit/audit.log.4
-r-------- 1 root root 5242977 2008-06-27
12:16 /var/log/audit/audit.log.5
-r-------- 1 root root 5242921 2008-06-27
11:52 /var/log/audit/audit.log.6
[root@hugo sbin]# ls -alZ /var/log/audit/audit.log.[1-6]
-r--------  root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.1
-r--------  root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.2
-r--------  root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.3
-r--------  root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.4
-r--------  root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.5
-r--------  root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.6


Is this correct (and if so, why)?
Maybe I did something...

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audit log question

[LC Bruzenak]

I just did a relabel/reboot and they all went to SystemHigh (what I'd
expect).

So I'm not sure how they were in that state to begin with, but I'll ask
again if it happens later.

Thx,
LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com