watching files in selinuxfs

Debora Velarde Wed, 27 Sep 2006 14:26:43 -0700

When in enforcing mode, I am only able to audit files in selinuxfs by 
inode, not by path.    I am running as auditadm_r.


/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)

# auditctl -l
No rules

/* Try adding audit rule with -w path syntax */
# auditctl -w /selinux/enforce
Error sending add rule request (Permission denied)

/* Try adding audit rule with -F inode */
# ls -i /selinux/enforce
4 /selinux/enforce

# auditctl -a exit,always -S open -F inode=4
# auditctl -l
LIST_RULES: exit,always inode=4 (0x4) syscall=open


Since it is possible to audit the files, this might only require a 
documentation change.  Perhaps adding a comment to the auditctl man page 
would be sufficient?

-debbie


--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

watching files in selinuxfs

Reply via email to