Re: watching files in selinuxfs
Klaus Weidner wrote:
On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
>Debora Velarde wrote:
>
>># auditctl -a exit,always -S open -F inode=4
>># auditctl -l
>>LIST_RULES: exit,always inode=4 (0x4) syscall=open
>
>I wonder what this is actually doing. An inode number without
>a file system isn't very interesting. Should this rule even
>be accepted?
Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...
That's exactly what its doing. Debora verified she's getting the audit
record she's looking for and I verified that you'll also get audit records
for any inode 4, at least on my system.
Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?
I would think so. I'm not exactly sure how you'd specify the file system
you want. Is the major/minor pair?
-- ljk