From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: filter specific file from specific program Date: Fri, 2 Dec 2011 10:04:15 -0500 Message-ID: <201112021004.15671.sgrubb@redhat.com> References: <1322599123.7751.YahooMailRC@web83807.mail.sp1.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1322599123.7751.YahooMailRC@web83807.mail.sp1.yahoo.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Lance Dillon List-Id: linux-audit@redhat.com On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote: > I have a need to filter a file from auditing, but only from a specific > process. We are running splunk, and indexing /var/log/audit/audit.log. We > want audit.log to be monitored, so we are using a dir watch on > /var/log/audit, but we just don't want splunk access to be reported. > Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it > filters everything, not that specific process. The object is the file. The subject would be the program accessing the file. You could use subj_type. > However, it actually spawns another process to do the actual access, so I can't > filter on pid either. It runs unconfined, Which is a big problem because you really don't want it to be unconfined. > so I can't filter on subj_type=unconfined_t, because that would filter way too much. > > It was suggested to me to use audit roles. If this is something separate > from selinux context, perhaps someone can point me in the right direction? > I only want to filter out (not audit) access to audit.log from the > specific process /opt/splunkforwarder/bin/splunkd (and any forks it may > do). I think you might could make the helper app setgid and then filter that out. -a never,exit -F gid=xxx -Steve