Re: [RFC][PATCH] (#6) filesystem auditing
On Tue, 2005-03-15 at 12:33 -0600, Timothy R. Chavez wrote:
Oops, I was looking at an unpatched auditctl.c (doh!) so I don't
think this is
the problem necessarily, but if you could please verify that you do make it
past audit_netlink_ok(), into audit_watch_insert(), and then print out the
values, that'd help. I'm trying to think of where you'd get invalids. And
you're right, its likely that at least the payload is malformed in some way.
Ah, I think SELinux is stopping it. Even in permissive mode. SELinux
applies a check from the netlink_send() hook, and it doesn't presently
have a mapping for the new audit operations you are introducing, so it
rejects the request as invalid. That security stuff, always getting in
the way ;)
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency