Re: Possibly wrong audit messages

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Glauber de Oliveira Costa <glommer@br.ibm.com>
Cc: linux-audit@redhat.com, mcthomps@us.ibm.com
Subject: Re: Possibly wrong audit messages
Date: Mon, 12 Jun 2006 08:51:42 -0400	[thread overview]
Message-ID: <200606120851.42427.sgrubb@redhat.com> (raw)
In-Reply-To: <200606120936.09801.glommer@br.ibm.com>

On Monday 12 June 2006 08:36, Glauber de Oliveira Costa wrote:
> If this is really the expected behaviour, sorry for the bogus report.

The 2.6.17 kernel, which is not released, changes this behavior so that it 
generates an event that looks something like this:

type=MAC_CONFIG_CHANGE msg=audit(1149610548.301:384): bool=user_ping 
val=0 old_val=1 auid=501

The messages you are seeing comes from SE Linux policy which can be changed 
once this patch is in an official kernel. You would still see an event for 
each boolean that was set/reset. If policy does not get changed, you will see 
2 events for each set/reset.

-Steve

     prev parent reply	other threads:[~2006-06-12 12:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-06-12 12:36 Possibly wrong audit messages Glauber de Oliveira Costa
2006-06-12 12:51 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200606120851.42427.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=glommer@br.ibm.com \
    --cc=linux-audit@redhat.com \
    --cc=mcthomps@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox