watching files in selinuxfs
Stephen Smalley
sds at tycho.nsa.gov
Thu Sep 28 13:34:43 UTC 2006
On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
What avc denial do you get? I suspect this just means the policy should
be changed to allow e.g. search on security_t:dir for auditctl.
>
> # auditctl -l
> No rules
>
> /* Try adding audit rule with -w path syntax */
> # auditctl -w /selinux/enforce
> Error sending add rule request (Permission denied)
>
> /* Try adding audit rule with -F inode */
> # ls -i /selinux/enforce
> 4 /selinux/enforce
>
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open
>
>
> Since it is possible to audit the files, this might only require a
> documentation change. Perhaps adding a comment to the auditctl man page
> would be sufficient?
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list