Re: watching files in selinuxfs
Stephen Smalley <sds(a)tycho.nsa.gov> wrote on 09/28/2006 06:34:43 AM:
On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
What avc denial do you get? I suspect this just means the policy should
be changed to allow e.g. search on security_t:dir for auditctl.
I don't see any AVC messages when I try to add this rule.
The only new record I see is:
type=CONFIG_CHANGE msg=audit(1159461436.758:1016): auid=500
subj=staff_u:auditadm_r:auditctl_t:s0-s15:c0.c255 add rule key=(null)
list=4 res=0
But no rule was added:
# auditctl -l
No rules