[RFC][PATCH] (#6) filesystem auditing
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 15 18:41:39 UTC 2005
On Tue, 2005-03-15 at 12:33 -0600, Timothy R. Chavez wrote:
> Oops, I was looking at an unpatched auditctl.c (doh!) so I don't think this is
> the problem necessarily, but if you could please verify that you do make it
> past audit_netlink_ok(), into audit_watch_insert(), and then print out the
> values, that'd help. I'm trying to think of where you'd get invalids. And
> you're right, its likely that at least the payload is malformed in some way.
Ah, I think SELinux is stopping it. Even in permissive mode. SELinux
applies a check from the netlink_send() hook, and it doesn't presently
have a mapping for the new audit operations you are introducing, so it
rejects the request as invalid. That security stuff, always getting in
the way ;)
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list