From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Weidner <klaus@atsec.com>
Subject: Re: watching files in selinuxfs
Date: Wed, 27 Sep 2006 17:11:31 -0500
Message-ID: <20060927221131.GA10199@w-m-p.com>
References: <OF86C13FA9.9583DDF2-ON872571F6.00745C68-882571F6.0075C970@us.ibm.com>
	<451AF14C.9080908@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k8RMBhbv014659
	for <linux-audit@redhat.com>; Wed, 27 Sep 2006 18:11:43 -0400
Received: from mail.atsec.com (mail.atsec.com [195.30.252.105])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k8RMBaO5030421
	for <linux-audit@redhat.com>; Wed, 27 Sep 2006 18:11:36 -0400
Content-Disposition: inline
In-Reply-To: <451AF14C.9080908@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
> Debora Velarde wrote:
> > # auditctl -a exit,always -S open -F inode=4
> > # auditctl -l
> > LIST_RULES: exit,always inode=4 (0x4) syscall=open
> 
> I wonder what this is actually doing.  An inode number without
> a file system isn't very interesting.  Should this rule even
> be accepted?

Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...

Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?

-Klaus