Re: [RFC][PATCH] (#6) filesystem auditing
On Tue, 2005-03-15 at 13:41 -0500, Stephen Smalley wrote:
Ah, I think SELinux is stopping it. Even in permissive mode.
SELinux
applies a check from the netlink_send() hook, and it doesn't presently
have a mapping for the new audit operations you are introducing, so it
rejects the request as invalid. That security stuff, always getting in
the way ;)
Ok, please incorporate the patch below into your patch so that SELinux
won't prevent using your new audit operations.
Index: linux-2.6/security/selinux/nlmsgtab.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/nlmsgtab.c,v
retrieving revision 1.3
diff -u -p -r1.3 nlmsgtab.c
--- linux-2.6/security/selinux/nlmsgtab.c 26 Jan 2005 21:21:27 -0000 1.3
+++ linux-2.6/security/selinux/nlmsgtab.c 15 Mar 2005 18:49:29 -0000
@@ -98,6 +98,8 @@ static struct nlmsg_perm nlmsg_audit_per
{ AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_LOGIN, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
+ { AUDIT_WATCH_INS, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
+ { AUDIT_WATCH_REM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
};
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency