it seems that start audit log from /sbin/ccs-init might be better than from init.d .
1. add a simple audit log config file /etc/ccs/log.conf:
2. in ccs-init start autit log:
if touch $permit_log && touch $reject_log; then /usr/lib/ccs/ccs-auditd $permit_log $reject_log fi
3. then start the selected policy
4. if a log file is ordinary file(not /dev/null, /dev/console,etc), and not protected by any deny_rewrite item, automatically add to current Exception policy
so that audit logs are complete and protected, and file name could be timestamped for each boot when needed.
RE: TOMOYO audit logs (2007-10-22 09:29 by kumaneko #32887)
Thank you for your opinion.
Starting /usr/lib/ccs/ccs-auditd at /sbin/ccs-init would be possible
if /var/ partition is mounted read-write and /usr/ partition is mounted read-only,
but these partitions have to be mounted read-only at that moment
because fsck is called at /etc/rc.d/rc.sysinit .
TOMOYO can hold access logs up to MAX_GRANT_LOG and MAX_REJECT_LOG entries
in the kernel memory so that access logs won't be lost
when these partitions are not ready to write.