On Tue, Feb 2, 2021 at 4:29 PM Daniel Walker <danie...@cisco.com> wrote: > From: Victor Kamensky <kamen...@cisco.com> > > To efficiently find out where SELinux AVC denial is comming from > take backtrace of user land process and display it as type=UBACKTRACE > message that comes as audit context for SELinux AVC and other audit > messages ...
Have you tried the new perf tracepoint for SELinux AVC decisions that trigger an audit event? It's a new feature for v5.10 and looks to accomplish most of what you are looking for with this patch. * https://www.paul-moore.com/blog/d/2020/12/linux_v510.html -- paul moore www.paul-moore.com
