Re: watching files in selinuxfs
On Thu, 2006-09-28 at 16:33 -0400, Steve Grubb wrote:
On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
When I do this command, I see AVC's:
time->Thu Sep 28 16:25:12 2006
type=AVC msg=audit(1159475112.366:289): avc: denied { getattr } for
pid=12893 comm="auditctl" name="/" dev=hda7 ino=2
scontext=root:system_r:auditctl_t:s0-s0:c0.c255
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
allow auditctl_t fs_t:filesystem getattr;
allow auditctl_t security_t:dir search;
Yes, seems like that should just be addressed through policy (but likely
in a broader sense, not just these particular types).
--
Stephen Smalley
National Security Agency