On Mon, Feb 10, 2014 at 9:47 AM, Steve Grubb <sgr...@redhat.com> wrote: > On Monday, February 10, 2014 09:29:19 AM Andy Lutomirski wrote: >> Grr. Why is all this crap tied up with syscall auditing anyway? ISTM >> it would have been a lot nicer if audit calls just immediately emitted >> audit records, completely independently of the syscall machinery. > > Because the majority of people needing audit need syscall records for it to > make any sense. The auxiliary records generally report on the object of the > syscall. We still require information about who was doing something, what they > were doing, and what the result was. > > Even if you just get the AVC's, you still don't know what happened. If you get > a deny record, was it really denied? The system could have been in permissive > mode and the syscall succeeded. You only get the real decision when you have > syscall records. >
Fair enough. I'll see if I can turn this into something more workable. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
