Ok, if AVC is incidental then I don't need to mention it, and so don't
need to define the acronym.
How about this. I tried to explain what happens to audit messages.
bool "Auditing support"
depends on NET
help
- Enable auditing infrastructure that can be used with another
- kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ Enable an auditing infrastructure that can be used with another
+ kernel subsystem, such as Security-Enhanced Linux (SELinux),
+ which requires this option for logging of security related
+ messages.
+
+ With this option, the kernel can use netlink to pass audit
+ messages to an audit daemon process. Otherwise, audit messages
+ are logged to syslog.
+
+ See <http://www.nsa.gov/selinux/> for more information
+ on Security-Enhanced Linux.
+
+ CONFIG_AUDITSYSCALL (see below) is also required for
+ system-call auditing.
+
+ If unsure, say N.
I'm puzzled about "end up in the kernel syslog". Looking at include/linux/audit.h
it seems that they go nowhere:
#ifdef CONFIG_AUDIT
[...]
#else
#define audit_log(c,g,t,f,...) do { ; } while (0)
#define audit_log_start(c,g,t) ({ NULL; })
#define audit_log_vformat(b,f,a) do { ; } while (0)
#define audit_log_format(b,f,...) do { ; } while (0)
#define audit_log_end(b) do { ; } while (0)
#define audit_log_hex(a,b,l) do { ; } while (0)
#define audit_log_untrustedstring(a,s) do { ; } while (0)
#define audit_log_n_untrustedstring(a,n,s) do { ; } while (0)
#define audit_log_d_path(b, p, d) do { ; } while (0)
#define audit_enabled 0
#endif
So it looks like if CONFIG_AUDIT is not defined then audit messages are
ignored. Syslog is used by kernel/audit.c when there is an audit
failure, which seems to be mainly if the userspace audit daemon is not
running.
Nick.
--
