Re: How do I figure out on what file dac_override is attempted?
On Wednesday 20 January 2010 02:50:52 pm Stephen Smalley wrote:
> Here is my blog on it.
>
> http://danwalsh.livejournal.com/34903.html
1) Your watch will actually trigger some audit messages since that file
does get written sometimes, vs. using Eric or Steve Grubb's suggestion
which should never fire.
I had suggested to Dan to use a file watch so as not to impact performance as
much if the system is a busy one, but I had suggested a file that should never
be written to like /etc/service, /etc/shells, or /etc/protocols. The file is
matched by hash rather than looping through the syscall rules which does make
things run faster.
2) I see a type=PATH record rather than type=AVC_PATH, e.g.:
As I recall, AVC_PATH was for the case where we could directly generate
the pathname during AVC audit (i.e. the hook had the vfsmount and dentry
available to it), whereas PATH is when syscall audit collected the
pathname on entry.
That would be duplication of audit records. PATH should be emitted whenever
you want the object of the syscall. It appears that AVC_PATH has been
deprecated.
-Steve