watching files in selinuxfs
Casey Schaufler
casey at schaufler-ca.com
Thu Sep 28 15:33:30 UTC 2006
--- Valdis.Kletnieks at vt.edu wrote:
> On Wed, 27 Sep 2006 18:18:45 EDT, Linda Knippers
> said:
> >
> > I would think so. I'm not exactly sure how you'd
> specify the file system
> > you want. Is the major/minor pair?
>
> What's the major/minor for /proc?
You should be able to get that from the
audit record generated by an operation
if you decided to audit /proc/<something>
and then attempt an illegel access.
I wouldn't be too surprised if the value
reported is uninformative. The dev number
is in the audit record for file access,
right?
> (or any other pseudo file system that one might want
> to put a watch on).
If the "device" is not meaningfull there ought
to be something useful in the superblock.
> (And am I going to get a brick lobbed at me if I say
> "unionfs"? :)
A half-brick. They have better range.
Casey Schaufler
casey at schaufler-ca.com
More information about the Linux-audit
mailing list