RE: Excluding the single executable on the top of audit.rules

Hello, Steve, thanks for a nice idea about adding new context for pulseaudio. We'll try to configure SELinux in this way. Also I would ask you to give some info about the unfinished branch that was intended to provide the "exe" filtering. Probably our team could work it out. I would be curious which rule you are getting hit with. I have attached the small piece of audit logs just for the case if you want to see what’s going on with pulseaudio. The vast majority of captured syscalls is #2 - syscall open. Normally, you design the rules so that a properly running system does not cause events. This means qualifying the rules with something like EPERM or EACCES so that you only log real problems and not normal system operation. The main reason of making the audit.rules so exhaustive is our attempt to trace and log all the user’s actions. Unfortunately /usr/bin/pulseaudio always has the uid value of a non-system user (>500). That’s why our logs are flooded. Sincerelly, Vitaly Isaev Software engineer Information security department Fintech JSC, Moscow, Russia -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Wednesday, August 20, 2014 12:34 AM To: linux-audit(a)redhat.com Cc: Исаев Виталий Анатольевич Subject: Re: Excluding the single executable on the top of audit.rules Hello, On Tuesday, August 19, 2014 11:07:18 AM Исаев Виталий Анатольевич wrote: I would be curious which rule you are getting hit with. Normally, you design the rules so that a properly running system does not cause events. This means qualifying the rules with something like EPERM or EACCES so that you only log real problems and not normal system operation. That said, at the moment, the best way to remove a single process is to use selinux types in the audit event. However, this trick does not work in this case because pulseaudio has no SE Linux policy. You would almost want to give it a type that maps to unconfined_t. Then you could write a rule like: -a exit,never -S all -F subj_type=pulseaudio_t You would place that at the top of the rules so it matches first. There was work going on to match against an executable name. But I haven't seen any progress in a long time. If that were finished, it would solve your problem. -Steve