[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6 U1) the latest incarnation



On Thu, 2005-03-24 at 14:23 -0500, Stephen Smalley wrote:
> Then I start to see some audit messages during passwd, but I shouldn't
> have to request read access auditing in order to see modifications
> (especially as that will generate a lot more data, e.g. upon every
> authentication program's use of /etc/shadow).

Ok, I see what is happening.  You call audit_attach_watch() from d_move,
but you will never hit an audit_notify_watch(), hence no audit data upon
renames until a subsequent write to the existing file (which never
happens for /etc/shadow, as it is always re-created and renamed for each
transaction).  So a natural question is what else should be calling
audit_notify_watch besides permission, exec_permission_lite, and
may_delete?  d_move?  may_create?

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]