Thanks for your suggestion. I am running SEAndroid in permissive mode and want to capture all denials in audit.log including duplicated or cached ones. I have figured out a way by slightly tweaking the kernel. Thanks!
---- Best Regards! *Ruowen Wang* Graduate Student Department of Computer Science North Carolina State University E-mail: [email protected] On Mon, Mar 3, 2014 at 7:54 AM, Stephen Smalley <[email protected]>wrote: > I guess I'm not clear on whether you want to capture all operations or > just denied ones. If only denied ones, then that is already audited > by default unless suppressed by a dontaudit rule in policy, and it > will log every instance unless in permissive mode. > > On Mon, Mar 3, 2014 at 7:50 AM, Stephen Smalley > <[email protected]> wrote: > > You can use auditallow statements in the .te files to enable auditing > > of allowed/granted permissions. Same syntax as allow rules. So, for > > example, if you mirrored every allow rule with a corresponding > > auditallow rule, you'd see every access granted (as an avc: granted > > log message). However, this will likely flood the logs and DOS your > > system, so I'd recommend being more selective. The other approach > > would be to write some audit syscall filters in audit.rules based on > > SELinux context. > > > > On Fri, Feb 28, 2014 at 8:31 PM, Ruowen Wang <[email protected]> wrote: > >> Hi SEAndroid, > >> > >> I am trying to capture all operations (mainly system calls) of a > specific > >> domain type, such as platform_app. I do want to keep all duplicated > denials > >> of a specific domain type along with every related system calls in the > audit > >> log for my analysis. > >> > >> I am reading the code in selinux/avc.c. I think the functions > "avc_audit, > >> slow_avc_audit" should be related to this. Suppose the domain type I > want is > >> "platform_app", is it possible to first check the ssid/tsid of > platform_app > >> and then bypass the audited checking, which can force it to call > >> slow_avc_audit? > >> > >> Furthermore, if later on I want to focus on another domain, such as > >> media_app, it is possible to pass the domain type as an argument from > user > >> space to the selinux avc module to do the above job? I notice the > "auditd" > >> daemon has some ways to send some info to the kernel. Can I use that? > >> > >> Thanks in advance. > >> > >> ---- > >> Best Regards! > >> Ruowen > >> > >> _______________________________________________ > >> Seandroid-list mailing list > >> [email protected] > >> To unsubscribe, send email to [email protected]. > >> To get help, send an email containing "help" to > >> [email protected]. > >> >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
