On Tuesday, December 10, 2013 04:48:54 PM Lucas Meneghel Rodrigues wrote: > On 12/10/2013 01:20 AM, Corey Bryant wrote: > >>> IMHO the test suite should probe to see if sandbox is working or not, > >>> and > >>> just not use the "-sandbox on" arg if the host doesn't support it. > >> > >> But I think this could be done on virt-test as well :) > > > > This would make sense. > > > > Although it sounds like Lucas was looking for an error message when > > seccomp kills qemu. Maybe virt-test could grep the audit log for the > > existence of a "type=SECCOMP" record within the test's time of > > execution, and issue a message based on that. > > It's a valid idea. The problem I see with it is that not every distro > out there uses SELinux. Not getting into the merits of whether they > should, ideally it'd be nice to have this working on distros that won't > use SELinux.
Minor point of clarification, but audit and SELinux and independent subsystems in the kernel. Also, and I don't have a non-audit kernel built at the moment to verify this, but on non-audit kernels the audit messages should be sent to syslog so you *should* still be able to search for SECCOMP records regardless. -- paul moore security and virtualization @ redhat
