watching files in selinuxfs
Stephen Smalley
sds at tycho.nsa.gov
Thu Sep 28 20:42:04 UTC 2006
On Thu, 2006-09-28 at 16:33 -0400, Steve Grubb wrote:
> On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
> > When in enforcing mode, I am only able to audit files in selinuxfs by
> > inode, not by path. I am running as auditadm_r.
> >
> > /* Try adding audit rule with -F path */
> > # auditctl -a exit,always -S open -F path=/selinux/enforce
> > Error sending add rule request (Permission denied)
>
> When I do this command, I see AVC's:
>
> time->Thu Sep 28 16:25:12 2006
> type=AVC msg=audit(1159475112.366:289): avc: denied { getattr } for
> pid=12893 comm="auditctl" name="/" dev=hda7 ino=2
> scontext=root:system_r:auditctl_t:s0-s0:c0.c255
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> allow auditctl_t fs_t:filesystem getattr;
> allow auditctl_t security_t:dir search;
Yes, seems like that should just be addressed through policy (but likely
in a broader sense, not just these particular types).
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list