Bug 1260148

Summary: BUG: SELinux AVC messages silently dropped by the audit subsystem in early boot
Product: [Fedora] Fedora Reporter: Paul Moore <pmoore>
Component: kernelAssignee: Paul Moore <pmoore>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-02 20:23:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Moore 2015-09-04 14:37:41 UTC 
Description of problem:
On occasion SELinux AVC denials are dropped by the audit subsystem during early boot without any warnings about dropped audit records. 

Additional info:
Reported as an issue with Android kernels but it is expected to be a problem with standard kernels as well.
Comment 1 Paul Moore 2015-09-04 14:42:49 UTC 
I suspect this may be an issue with using the shared printk_ratelimit() limiter in audit_printk_skb() and audit_log_lost(); we probably should implement an audit specific rate limit to prevent other subsystems from squelching audit messages, especially those in audit_log_lost().
Comment 2 Paul Moore 2016-06-02 20:23:08 UTC 
We are now tracking upstream bugs via GitHub:

* https://github.com/linux-audit/audit-kernel/issues/17