How do I figure out on what file dac_override is attempted?
Steve Grubb
sgrubb at redhat.com
Wed Jan 20 20:13:23 UTC 2010
On Wednesday 20 January 2010 02:50:52 pm Stephen Smalley wrote:
> > Here is my blog on it.
> >
> > http://danwalsh.livejournal.com/34903.html
>
> 1) Your watch will actually trigger some audit messages since that file
> does get written sometimes, vs. using Eric or Steve Grubb's suggestion
> which should never fire.
I had suggested to Dan to use a file watch so as not to impact performance as
much if the system is a busy one, but I had suggested a file that should never
be written to like /etc/service, /etc/shells, or /etc/protocols. The file is
matched by hash rather than looping through the syscall rules which does make
things run faster.
> 2) I see a type=PATH record rather than type=AVC_PATH, e.g.:
> As I recall, AVC_PATH was for the case where we could directly generate
> the pathname during AVC audit (i.e. the hook had the vfsmount and dentry
> available to it), whereas PATH is when syscall audit collected the
> pathname on entry.
That would be duplication of audit records. PATH should be emitted whenever
you want the object of the syscall. It appears that AVC_PATH has been
deprecated.
-Steve
More information about the Linux-audit
mailing list