Re: filter specific file from specific program

From: Steve Grubb <sgrubb(a)redhat.com&gt; To: linux-audit(a)redhat.com Cc: Lance Dillon <riffraff169(a)yahoo.com&gt; Sent: Fri, December 2, 2011 10:04:15 AM Subject: Re: filter specific file from specific program On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote: > I have a need to filter a file from auditing, but only from a specific > process. We are running splunk, and indexing /var/log/audit/audit.log. We > want audit.log to be monitored, so we are using a dir watch on > /var/log/audit, but we just don't want splunk access to be reported. > Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it > filters everything, not that specific process. The object is the file. The subject would be the program accessing the file. You could use subj_type. > However, it actually spawns another process to do the actual access, so I can't > filter on pid either. It runs unconfined, Which is a big problem because you really don't want it to be unconfined. > so I can't filter on subj_type=unconfined_t, because that would filter way too much. > > It was suggested to me to use audit roles. If this is something separate > from selinux context, perhaps someone can point me in the right direction? > I only want to filter out (not audit) access to audit.log from the > specific process /opt/splunkforwarder/bin/splunkd (and any forks it may > do). I think you might could make the helper app setgid and then filter that out. -a never,exit -F gid=xxx -Steve