auditing syscalls made 'by' an inode?
Steve Grubb
sgrubb at redhat.com
Fri Jun 8 16:01:03 UTC 2012
On Friday, June 08, 2012 11:36:38 AM Peter Moody wrote:
> On Fri, Jun 8, 2012 at 7:49 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > On thing you could do would be to write a simple SELinux domain, like
> > auditproc_t and have unconfined_t transition to it using runcon.
>
> True, but this requires running selinux, which despite all of the
> excellent work you guys have put into making that easy (easier), is
> still a non-starter for some people.
I agree. I'd like to see the capability developed out because it might allow new
kinds of auditing. Like...you might want to audit syscalls with EPERM started by
apache and not under the httpd_t selinux context. :-)
-Steve
More information about the Linux-audit
mailing list