On Tue, Feb 2, 2021 at 4:29 PM Daniel Walker <[email protected]> wrote: > From: Victor Kamensky <[email protected]> > > To efficiently find out where SELinux AVC denial is comming from > take backtrace of user land process and display it as type=UBACKTRACE > message that comes as audit context for SELinux AVC and other audit > messages ...
Have you tried the new perf tracepoint for SELinux AVC decisions that trigger an audit event? It's a new feature for v5.10 and looks to accomplish most of what you are looking for with this patch. * https://www.paul-moore.com/blog/d/2020/12/linux_v510.html -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
