From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditing syscalls made 'by' an inode?
Date: Fri, 8 Jun 2012 12:01:03 -0400
Message-ID: <201206081201.03334.sgrubb@redhat.com>
References: <CALnj_=4uNND607aj4HC4S-1TT17mSCbF871OV-r_iAH_Xa+dNw@mail.gmail.com>
	<4FD2110C.3080400@redhat.com>
	<CALnj_=5+2yz=G3La9LLCbkhuO+ZyzqtKZOnT3OA1FJYwv_TPVw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CALnj_=5+2yz=G3La9LLCbkhuO+ZyzqtKZOnT3OA1FJYwv_TPVw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Peter Moody <pmoody@google.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, June 08, 2012 11:36:38 AM Peter Moody wrote:
> On Fri, Jun 8, 2012 at 7:49 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > On thing you could do would be to write a simple SELinux domain, like
> > auditproc_t and have unconfined_t transition to it using runcon.
> 
> True, but this requires running selinux, which despite all of the
> excellent work you guys have put into making that easy (easier), is
> still a non-starter for some people.

I agree. I'd like to see the capability developed out because it might allow new 
kinds of auditing. Like...you might want to audit syscalls with EPERM started by 
apache and not under the httpd_t selinux context. :-)

-Steve