From mboxrd@z Thu Jan 1 00:00:00 1970 From: Linda Knippers Subject: Re: watching files in selinuxfs Date: Wed, 27 Sep 2006 18:18:45 -0400 Message-ID: <451AF8C5.4070806@hp.com> References: <451AF14C.9080908@hp.com> <20060927221131.GA10199@w-m-p.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k8RMJJUO016437 for ; Wed, 27 Sep 2006 18:19:19 -0400 Received: from atlrel6.hp.com (atlrel6.hp.com [156.153.255.205]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k8RMJDgj031883 for ; Wed, 27 Sep 2006 18:19:13 -0400 In-Reply-To: <20060927221131.GA10199@w-m-p.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Klaus Weidner Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Klaus Weidner wrote: > On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote: > >>Debora Velarde wrote: >> >>># auditctl -a exit,always -S open -F inode=4 >>># auditctl -l >>>LIST_RULES: exit,always inode=4 (0x4) syscall=open >> >>I wonder what this is actually doing. An inode number without >>a file system isn't very interesting. Should this rule even >>be accepted? > > > Well, probably this is telling the audit system to audit access to all > inodes with the number 4 on any filesystem, and if that's not what you > want you need to be more specific... That's exactly what its doing. Debora verified she's getting the audit record she's looking for and I verified that you'll also get audit records for any inode 4, at least on my system. > > Given the Unix philosophy of allowing admins to shoot themselves in the > foot, would a warning be appropriate? I would think so. I'm not exactly sure how you'd specify the file system you want. Is the major/minor pair? -- ljk