Re: watching files in selinuxfs
Debora Velarde wrote:
When in enforcing mode, I am only able to audit files in selinuxfs by
inode, not by path. I am running as auditadm_r.
/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)
# auditctl -l
No rules
/* Try adding audit rule with -w path syntax */
# auditctl -w /selinux/enforce
Error sending add rule request (Permission denied)
/* Try adding audit rule with -F inode */
# ls -i /selinux/enforce
4 /selinux/enforce
# auditctl -a exit,always -S open -F inode=4
# auditctl -l
LIST_RULES: exit,always inode=4 (0x4) syscall=open
I wonder what this is actually doing. An inode number without
a file system isn't very interesting. Should this rule even
be accepted?
Since it is possible to audit the files, this might only require a
documentation change. Perhaps adding a comment to the auditctl man page
would be sufficient?
-debbie
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit