[redhat-lspp] userdomain policy question ..
Janak Desai
janak at us.ibm.com
Tue Aug 8 15:37:55 UTC 2006
On Tue, 2006-08-08 at 11:10 -0400, James Antill wrote:
> On Tue, 2006-08-08 at 09:19 -0400, Janak Desai wrote:
>
> > Klaus, would it be sufficient, for meeting LSPP requirement, to
> > audit write(2) of the fscreate file?
>
> Doesn't audit write work via. inode numbers? If so I don't see how you
> could audit anything in /proc (try: ls -i /proc/self/.). Even if you can
> fix the inode stability problem, how can you specify to
> audit /proc/*/attr/fscreate?
>
Yes, this was pointed out by one of my team member as well. He is
currently investigating setting up watches and possibly capturing
open() call. I am adding Steve Grubb and Amy to the cc list in
case they have any ideas on what we can do. Basically, we need to
audit the fact that /proc/*/attr/fscreate file has been updated
with a new context.
-Janak
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
More information about the redhat-lspp
mailing list