Re: [RFC][PATCH] (#6 U1) the latest incarnation
On Thu, 2005-03-24 at 14:23 -0500, Stephen Smalley wrote:
Then I start to see some audit messages during passwd, but I
shouldn't
have to request read access auditing in order to see modifications
(especially as that will generate a lot more data, e.g. upon every
authentication program's use of /etc/shadow).
Ok, I see what is happening. You call audit_attach_watch() from d_move,
but you will never hit an audit_notify_watch(), hence no audit data upon
renames until a subsequent write to the existing file (which never
happens for /etc/shadow, as it is always re-created and renamed for each
transaction). So a natural question is what else should be calling
audit_notify_watch besides permission, exec_permission_lite, and
may_delete? d_move? may_create?
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency