Re: SELinux for auditing
On Thursday 01 February 2007 09:59:00 Stephen Smalley wrote:
> Assuming current generation of audit code...
>
> auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
Hmmm...on FC6, that yields an error from auditctl:
key option needs a watch or syscall given prior to it
Dropping the -k option avoids the error message, but overwriting a bin_t
file doesn't generate any audit message.
This turned out to be a bug in libaudit which was fixed in 1.4.1. It should
work as I stated above when you upgrade. If not, let me know...
-Steve