[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

audit in /selinux directory

Hi All,

Some files in /selinux have a weird behavior on audit records... When I
try read (or write) some files with no read (or write) permission, I
can't get the audit record even when I watch the file.
Look at this example:
[root alex tmp]# auditctl -w /selinux/disable 
[root alex tmp]# cat /selinux/disable
cat: /selinux/disable: Invalid argument
[root alex tmp]# ausearch -i -f /selinux/disable
type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0 
type=CWD msg=audit(03/09/2007 16:23:01.340:29662) :  cwd=/tmp 
type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64
syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160
a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023

The cat command failed and audit is saying "success". A bit strange for
me. Could anybody clarify this point for me, please?

Best Regards


Camilo Yamauchi Campo
Linux Technology Center
Software Engineer
camilo br ibm com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]