From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: SELinux for auditing Date: Thu, 1 Feb 2007 10:40:48 -0500 Message-ID: <200702011040.48405.sgrubb@redhat.com> References: <1170202290.4168.14.camel@localhost.localdomain> <200702010936.59578.sgrubb@redhat.com> <1170341940.12293.124.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1170341940.12293.124.camel@moss-spartans.epoch.ncsc.mil> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Stephen Smalley Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 01 February 2007 09:59, Stephen Smalley wrote: > > Assuming current generation of audit code... > > > > auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables > > Hmmm...on FC6, that yields an error from auditctl: > key option needs a watch or syscall given prior to it Ooops, that should be: auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable > Dropping the -k option avoids the error message, but overwriting a bin_t > file doesn't generate any audit message. Similarly, adding a -S open > avoids the error message while retaining the -k, but overwriting a bin_t > file doesn't generate any audit message. Not sure where the problem > lies there. OK, we should look into this. > Also, he mentioned RHEL 4 as his platform, so I would tend to think that > his kernel and auditctl wouldn't support this anyway. If so, it won't. > So he may be limited to using auditallow statements in policy, which is > certainly legitimate use of them (although I understand your goal of > centralizing audit configuration). Well, not just centralizing configuration, but that its actually fit for its purpose. :) -Steve