From mboxrd@z Thu Jan  1 00:00:00 1970
From: Glauber de Oliveira Costa <glommer@br.ibm.com>
Subject: Possibly wrong audit messages
Date: Mon, 12 Jun 2006 09:36:09 -0300
Message-ID: <200606120936.09801.glommer@br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, sgrubb@redhat.com, mcthomps@us.ibm.com
List-Id: linux-audit@redhat.com

Hi,

I'm in a FC5 box, and tryied to shoot an setsebool command as 
secadm_r:SystemHigh (mls policy)

Instead of an audit message identifying the set operation, I'm getting 81 AVC 
messages (81 is the number of booleans present in /selinux/booleans/) 
indicating a success. Such a large number of messages makes the correct 
information hard to find, IMHO. This does not seem to be the right behaviour 
to me.

A typical message looks like this:
 
type=AVC msg=audit(1149411239.670:6462): avc:  granted  { setbool } 
for pid=3460 comm="setsebool" scontext=root:secadm_r:secadm_t:s15:c0.c255
tcontext=system_u:object_r:security_t:s15:c0.c255 tclass=security

If this is really the expected behaviour, sorry for the bogus report. 

-- 
"Free as in Freedom"
Glauber de Oliveira Costa