On 10/08/2013 11:21 PM, William Roberts wrote: > You could change all occurances of allow to auditallow. This will still let > the action go through, but log it. > > You can use sed to make this change.
Not quite right. auditallow doesn't allow anything; it merely enables auditing of allowed permissions (i.e. granted messages). You still need the allow rule to permit the action. Also, if you auditallow everything, you will likely DOS the system from an audit flood. AFAIK, the only reason you don't see granted messages in audit.log on Android is that we have no auditallow rules in our default policy for Android. But you can certainly add them. But don't add them blindly; only add them when you want to see every time a particular permission is granted. Also, consider creating a /data/misc/audit/audit.rules file if you want to audit certain actions. Example attached. This is only supported in the auditd on our seandroid and seandroid-4.3 branches presently, not on 4.2 or earlier. > On Oct 8, 2013 9:32 PM, "Ruowen Wang" <[email protected]> wrote: > >> Hi SEAndroid, >> >> I am a new comer. I am playing with the audit.log and audit2allow in >> SEAndroid. One thing I am wondering is that I cannot find "granted" >> messages but only "denied" message in audit.log, which is different from >> the desktop version of the audit daemon. Is it possible to configure the >> auditd to log granted messages? >> >> Thanks, >> >> Best Regards! >> Ruowen >> >> >
-w /data/system -p wa -w /data/security -p wa
