On Friday 26 May 2006 13:05, Stephen Smalley wrote: > Hmmm...what is it that you actually want to do here?
We need to meet the requirements for LSPP where there is a relabel on boot, but we do not want a record for each file that was touched. It was discussed on the LSPP telecon a while back that just one record was sufficient. > If you only care about auditing autorelabel events, then I'd suggest > generating the audit message from the autorelabel portion of rc.sysinit (via > a helper, I suppose), not from setfiles itself. This is a shell script and cannot connect to libaudit. > If you want to audit all full relabels, then you need to instrument more > than setfiles (e.g. restorecon -R / works just as well), and of course, you > potentially need to do something at the kernel level with audit filters or > auditallow rules in policy if you truly want to capture all relabels. We get relabels by monitoring the setxattr syscall. But during bootup before going interactive, we just want 1 message. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
