From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: How do I figure out on what file dac_override is attempted? Date: Wed, 20 Jan 2010 15:13:23 -0500 Message-ID: <201001201513.23697.sgrubb@redhat.com> References: <19284.52512.295295.185383@gargle.gargle.HOWL> <4B57582D.7070904@redhat.com> <1264017052.24133.161.camel@moss-pluto.epoch.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1264017052.24133.161.camel@moss-pluto.epoch.ncsc.mil> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: selinux@lists.fedoraproject.org, Joshua Brindle List-Id: linux-audit@redhat.com On Wednesday 20 January 2010 02:50:52 pm Stephen Smalley wrote: > > Here is my blog on it. > > > > http://danwalsh.livejournal.com/34903.html > > 1) Your watch will actually trigger some audit messages since that file > does get written sometimes, vs. using Eric or Steve Grubb's suggestion > which should never fire. I had suggested to Dan to use a file watch so as not to impact performance as much if the system is a busy one, but I had suggested a file that should never be written to like /etc/service, /etc/shells, or /etc/protocols. The file is matched by hash rather than looping through the syscall rules which does make things run faster. > 2) I see a type=PATH record rather than type=AVC_PATH, e.g.: > As I recall, AVC_PATH was for the case where we could directly generate > the pathname during AVC audit (i.e. the hook had the vfsmount and dentry > available to it), whereas PATH is when syscall audit collected the > pathname on entry. That would be duplication of audit records. PATH should be emitted whenever you want the object of the syscall. It appears that AVC_PATH has been deprecated. -Steve