I guess I'm not clear on whether you want to capture all operations or just denied ones. If only denied ones, then that is already audited by default unless suppressed by a dontaudit rule in policy, and it will log every instance unless in permissive mode.
On Mon, Mar 3, 2014 at 7:50 AM, Stephen Smalley <[email protected]> wrote: > You can use auditallow statements in the .te files to enable auditing > of allowed/granted permissions. Same syntax as allow rules. So, for > example, if you mirrored every allow rule with a corresponding > auditallow rule, you'd see every access granted (as an avc: granted > log message). However, this will likely flood the logs and DOS your > system, so I'd recommend being more selective. The other approach > would be to write some audit syscall filters in audit.rules based on > SELinux context. > > On Fri, Feb 28, 2014 at 8:31 PM, Ruowen Wang <[email protected]> wrote: >> Hi SEAndroid, >> >> I am trying to capture all operations (mainly system calls) of a specific >> domain type, such as platform_app. I do want to keep all duplicated denials >> of a specific domain type along with every related system calls in the audit >> log for my analysis. >> >> I am reading the code in selinux/avc.c. I think the functions "avc_audit, >> slow_avc_audit" should be related to this. Suppose the domain type I want is >> "platform_app", is it possible to first check the ssid/tsid of platform_app >> and then bypass the audited checking, which can force it to call >> slow_avc_audit? >> >> Furthermore, if later on I want to focus on another domain, such as >> media_app, it is possible to pass the domain type as an argument from user >> space to the selinux avc module to do the above job? I notice the "auditd" >> daemon has some ways to send some info to the kernel. Can I use that? >> >> Thanks in advance. >> >> ---- >> Best Regards! >> Ruowen >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
