Peter Moody wrote: > It generates this for everything executed (I think I mean for every > domain transition in tomoyo parlance)?
TOMOYO's audit log is generated for every do_execve() request that reached TOMOYO's permission checks for do_execve(). > I'm familiar with auditd, I'm trying to find a lighter-weight version > of the equivalent of auditctl -a exit,always -S execve -F success=1 But TOMOYO cannot prune audit logs for failed do_execve() requests because TOMOYO checks permission before do_execve() succeeds (i.e. before install_exec_creds() in fs/exec.c is called). Unless MAC implementation generates audit logs for do_execve() from security_bprm_committing_creds() in install_exec_creds(), I think it is impossible for MAC to do "-F success=1" part. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
