On Tuesday 15 March 2005 03:01 pm, Stephen Smalley wrote:
On Tue, 2005-03-15 at 15:48 -0500, Stephen Smalley wrote:
> Hmmm...how is this supposed to work? audit_log_exit() isn't called
> unless context->auditable is set. Should audit_notify_watch() be
> setting context->auditable when adding a file to the wtrail so that it
> will be processed upon syscall exit? Otherwise, you need some other
> filter to enable the auditable flag separate from your watch, right?
Note btw that since SELinux does immediate generation of audit messages
via audit_log* from its hooks, this automatically enables the auditable
flag (since audit_log_start calls audit_get_stamp, and audit_get_stamp
enables the auditable flag). That is why further audit records are
written at syscall exit whenever SELinux emits an audit message from a
hook. But in your case, as you are just adding data to a list from your
hook, you need to separately enable the auditable flag in some manner.
Right, the manner in which you get records for watched files / directories is
by filtering on syscalls that access those watched files / directories. In
our case we said it was sufficient to audit the following two:
./auditctl -a exit,always -S open
./auditctl -a exit,always -S unlink
So then when you do,
./auditctl -w /etc/passwd -k fk_passwd_f
And then,
cat /etc/passwd
You'll get a record for "passwd".
Then if you added,
./auditctl -w /etc -k fk_etc_d
And then,
cat /etc/passwd
You should get a trail (two records); one for "etc" and one for
"passwd"
-tim