watching files in selinuxfs
Linda Knippers
linda.knippers at hp.com
Wed Sep 27 21:46:52 UTC 2006
Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
>
> # auditctl -l
> No rules
>
> /* Try adding audit rule with -w path syntax */
> # auditctl -w /selinux/enforce
> Error sending add rule request (Permission denied)
>
> /* Try adding audit rule with -F inode */
> # ls -i /selinux/enforce
> 4 /selinux/enforce
>
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open
I wonder what this is actually doing. An inode number without
a file system isn't very interesting. Should this rule even
be accepted?
>
> Since it is possible to audit the files, this might only require a
> documentation change. Perhaps adding a comment to the auditctl man page
> would be sufficient?
>
> -debbie
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list