On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote: > When in enforcing mode, I am only able to audit files in selinuxfs by > inode, not by path. I am running as auditadm_r. > > /* Try adding audit rule with -F path */ > # auditctl -a exit,always -S open -F path=/selinux/enforce > Error sending add rule request (Permission denied)
What avc denial do you get? I suspect this just means the policy should be changed to allow e.g. search on security_t:dir for auditctl. > > # auditctl -l > No rules > > /* Try adding audit rule with -w path syntax */ > # auditctl -w /selinux/enforce > Error sending add rule request (Permission denied) > > /* Try adding audit rule with -F inode */ > # ls -i /selinux/enforce > 4 /selinux/enforce > > # auditctl -a exit,always -S open -F inode=4 > # auditctl -l > LIST_RULES: exit,always inode=4 (0x4) syscall=open > > > Since it is possible to audit the files, this might only require a > documentation change. Perhaps adding a comment to the auditctl man page > would be sufficient? -- Stephen Smalley National Security Agency -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
