On Tue, Jun 6, 2023 at 3:09 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
> Thanks. Could you also point to portions in the codebase where these
> functions are called for monitoring file access?
I'll let Richard or Paul point to the place in the kernel if that's
necessary. I think there's a fundamental mismatch and it might not matter.
The audit subsystem in the Linux Kernel is currently found in the core
kernel/ directory:
% ls -1 kernel/audit*
kernel/audit.c
kernel/auditfilter.c
kernel/audit_fsnotify.c
kernel/audit.h
kernel/auditsc.c
kernel/audit_tree.c
kernel/audit_watch.c
... would be path, kind of access, who is accessing it, program
accessing
it, portions of se linux labeling, and a few other things.
FYI for everyone on the thread, the generally accepted way to write to
"SELinux" is as one word (no space between the "SE" and
"Linux") and
with the first three letters capitalized. I know we can be a little
lazy with capitalization, I definitely am, but writing it as one word
is the important part.
--
paul-moore.com