Re: auditing syscalls made 'by' an inode?
On Friday, June 08, 2012 11:36:38 AM Peter Moody wrote:
On Fri, Jun 8, 2012 at 7:49 AM, Daniel J Walsh
<dwalsh(a)redhat.com> wrote:
> On thing you could do would be to write a simple SELinux domain, like
> auditproc_t and have unconfined_t transition to it using runcon.
True, but this requires running selinux, which despite all of the
excellent work you guys have put into making that easy (easier), is
still a non-starter for some people.
I agree. I'd like to see the capability developed out because it might allow new
kinds of auditing. Like...you might want to audit syscalls with EPERM started by
apache and not under the httpd_t selinux context. :-)
-Steve