Re: watching files in selinuxfs
On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
Debora Velarde wrote:
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open
I wonder what this is actually doing. An inode number without
a file system isn't very interesting. Should this rule even
be accepted?
Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...
Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?
-Klaus