From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Camilo Y. Campo" <camilo@br.ibm.com>
Subject: audit in /selinux directory
Date: Fri, 09 Mar 2007 16:31:32 -0300
Message-ID: <1173468692.10746.11.camel@cyc>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l29JVcbt023812
	for <linux-audit@redhat.com>; Fri, 9 Mar 2007 14:31:38 -0500
Received: from igw2.br.ibm.com (igw2.br.ibm.com [32.104.18.25])
	by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l29JVax4010462
	for <linux-audit@redhat.com>; Fri, 9 Mar 2007 14:31:37 -0500
Received: from mailhub1.br.ibm.com (mailhub1 [9.18.232.109])
	by igw2.br.ibm.com (Postfix) with ESMTP id 33B2E5BD9F
	for <linux-audit@redhat.com>; Fri,  9 Mar 2007 16:26:20 -0300 (BRT)
Received: from d24av02.br.ibm.com (d24av02.br.ibm.com [9.18.232.47])
	by mailhub1.br.ibm.com (8.13.8/8.13.8/NCO v8.3) with ESMTP id
	l29JVUEh1454296
	for <linux-audit@redhat.com>; Fri, 9 Mar 2007 16:31:30 -0300
Received: from d24av02.br.ibm.com (loopback [127.0.0.1])
	by d24av02.br.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	l29JUP5D025311
	for <linux-audit@redhat.com>; Fri, 9 Mar 2007 16:30:25 -0300
Received: from [9.18.197.111] ([9.18.197.111])
	by d24av02.br.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	l29JUPRO025288
	for <linux-audit@redhat.com>; Fri, 9 Mar 2007 16:30:25 -0300
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi All,

Some files in /selinux have a weird behavior on audit records... When I
try read (or write) some files with no read (or write) permission, I
can't get the audit record even when I watch the file.
 
Look at this example:
[root@alex tmp]# auditctl -w /selinux/disable 
[root@alex tmp]# cat /selinux/disable
cat: /selinux/disable: Invalid argument
[root@alex tmp]# ausearch -i -f /selinux/disable
----
type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0 
type=CWD msg=audit(03/09/2007 16:23:01.340:29662) :  cwd=/tmp 
type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64
syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160
a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023
key=(null) 

The cat command failed and audit is saying "success". A bit strange for
me. Could anybody clarify this point for me, please?

Best Regards

-- 

Camilo Yamauchi Campo
Linux Technology Center
Software Engineer
camilo@br.ibm.com