1260148 – BUG: SELinux AVC messages silently dropped by the audit subsystem in early boot

Bug 1260148 - BUG: SELinux AVC messages silently dropped by the audit subsystem in early boot

Summary: BUG: SELinux AVC messages silently dropped by the audit subsystem in early boot

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Paul Moore
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-04 14:37 UTC by Paul Moore
Modified:	2016-06-02 20:23 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-02 20:23:08 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Moore 2015-09-04 14:37:41 UTC

Description of problem:
On occasion SELinux AVC denials are dropped by the audit subsystem during early boot without any warnings about dropped audit records. 

Additional info:
Reported as an issue with Android kernels but it is expected to be a problem with standard kernels as well.

Comment 1 Paul Moore 2015-09-04 14:42:49 UTC

I suspect this may be an issue with using the shared printk_ratelimit() limiter in audit_printk_skb() and audit_log_lost(); we probably should implement an audit specific rate limit to prevent other subsystems from squelching audit messages, especially those in audit_log_lost().

Comment 2 Paul Moore 2016-06-02 20:23:08 UTC

We are now tracking upstream bugs via GitHub:

* https://github.com/linux-audit/audit-kernel/issues/17

Note You need to log in before you can comment on or make changes to this bug.