Red Hat Bugzilla – Bug 1260148
BUG: SELinux AVC messages silently dropped by the audit subsystem in early boot
Last modified: 2016-06-02 16:23:08 EDT
Description of problem:
On occasion SELinux AVC denials are dropped by the audit subsystem during early boot without any warnings about dropped audit records.
Reported as an issue with Android kernels but it is expected to be a problem with standard kernels as well.
I suspect this may be an issue with using the shared printk_ratelimit() limiter in audit_printk_skb() and audit_log_lost(); we probably should implement an audit specific rate limit to prevent other subsystems from squelching audit messages, especially those in audit_log_lost().
We are now tracking upstream bugs via GitHub: