Re: Excluding selected CRYPTO_KEY_USER events

Saturday, 9 January 2016

On Saturday, January 09, 2016 10:26:06 AM Richard Young wrote:
...
 I know I could exclude all msgtype CRYPTO_KEY_USER audit events, but
would
 like to exclude just specific ones.
 I would like to exclude ones for a specific UID, hostname, or IP.

 There are many example of how to exclude specific files, directory events,
 or syscall events.

 Can somebody suggest a way to suppress specific CRYPTO_KEY_USER events by
 UID, hostname, or IP? 
I opened a bz to ask for this capability a little over a month ago:
https://bugzilla.redhat.com/show_bug.cgi?id=1287745
Unfortunately, I don't think you can do anything until that lands.

This particular event comes from user space. So, the kernel cannot filter on IP 
address. And specifically, the kernel can never really filter on IP address 
because its typically not an argument to any but 2 or 3 syscalls.

There is a chance that you might be able to use the USER filter if the selinux 
type is unique to whatever you wanted to remove.

-a never,user -F subj_type=httpd_t

-Steve

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: Excluding selected CRYPTO_KEY_USER events