[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How do I figure out on what file dac_override is attempted?



On Wednesday 20 January 2010 02:50:52 pm Stephen Smalley wrote:
> > Here is my blog on it.
> > 
> > http://danwalsh.livejournal.com/34903.html
> 
> 1) Your watch will actually trigger some audit messages since that file
> does get written sometimes, vs. using Eric or Steve Grubb's suggestion
> which should never fire.

I had suggested to Dan to use a file watch so as not to impact performance as 
much if the system is a busy one, but I had suggested a file that should never 
be written to like /etc/service, /etc/shells, or /etc/protocols. The file is 
matched by hash rather than looping through the syscall rules which does make 
things run faster.

> 2) I see a type=PATH record rather than type=AVC_PATH, e.g.:
> As I recall, AVC_PATH was for the case where we could directly generate
> the pathname during AVC audit (i.e. the hook had the vfsmount and dentry
> available to it), whereas PATH is when syscall audit collected the
> pathname on entry.

That would be duplication of audit records. PATH should be emitted whenever 
you want the object of the syscall. It appears that AVC_PATH has been 
deprecated.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]