Possibly wrong audit messages

Possibly wrong audit messages

[Glauber de Oliveira Costa]

Hi,

I'm in a FC5 box, and tryied to shoot an setsebool command as 
secadm_r:SystemHigh (mls policy)

Instead of an audit message identifying the set operation, I'm getting 81 AVC 
messages (81 is the number of booleans present in /selinux/booleans/) 
indicating a success. Such a large number of messages makes the correct 
information hard to find, IMHO. This does not seem to be the right behaviour 
to me.

A typical message looks like this:
 
type=AVC msg=audit(1149411239.670:6462): avc:  granted  { setbool } 
for pid=3460 comm="setsebool" scontext=root:secadm_r:secadm_t:s15:c0.c255
tcontext=system_u:object_r:security_t:s15:c0.c255 tclass=security

If this is really the expected behaviour, sorry for the bogus report. 

-- 
"Free as in Freedom"
Glauber de Oliveira Costa

Re: Possibly wrong audit messages

[Steve Grubb]

On Monday 12 June 2006 08:36, Glauber de Oliveira Costa wrote:
> If this is really the expected behaviour, sorry for the bogus report.

The 2.6.17 kernel, which is not released, changes this behavior so that it 
generates an event that looks something like this:

type=MAC_CONFIG_CHANGE msg=audit(1149610548.301:384): bool=user_ping 
val=0 old_val=1 auid=501

The messages you are seeing comes from SE Linux policy which can be changed 
once this patch is in an official kernel. You would still see an event for 
each boolean that was set/reset. If policy does not get changed, you will see 
2 events for each set/reset.

-Steve