watching files in selinuxfs
Debora Velarde
dvelarde at us.ibm.com
Thu Sep 28 18:39:08 UTC 2006
Stephen Smalley <sds at tycho.nsa.gov> wrote on 09/28/2006 06:34:43 AM:
> On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> > When in enforcing mode, I am only able to audit files in selinuxfs by
> > inode, not by path. I am running as auditadm_r.
> >
> > /* Try adding audit rule with -F path */
> > # auditctl -a exit,always -S open -F path=/selinux/enforce
> > Error sending add rule request (Permission denied)
>
> What avc denial do you get? I suspect this just means the policy should
> be changed to allow e.g. search on security_t:dir for auditctl.
I don't see any AVC messages when I try to add this rule.
The only new record I see is:
type=CONFIG_CHANGE msg=audit(1159461436.758:1016): auid=500
subj=staff_u:auditadm_r:auditctl_t:s0-s15:c0.c255 add rule key=(null)
list=4 res=0
But no rule was added:
# auditctl -l
No rules
More information about the Linux-audit
mailing list