site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Todd _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... Double-clicking an app will cause lauchd to fork and start the process. One Leopard posix_spawn is used to start the new process. E.g. Looking at the launchd source code, it looks like it sets the appropriate audit mask *before* calling posix_spawn(). So is it possible that posix_spawn() doesn't create an audit record? This seems challenging... there may be no way to identify in the audit trail the name of a program started with launchd (?). This will make security auditing difficult. This email sent to site_archiver@lists.apple.com