On Mon, 2004-12-20 at 16:32, Browder, Tom wrote: > But the denial is the same whether I do 'ls /etc/shadow' or 'mv > /etc/shadow /etc/shadow.save'. Is there a way to show the different > system calls? I suspect that you are only getting a getattr denial on the latter for when mv tries to stat the file, but you are never reaching the SELinux permission checks for the rename(2) itself, because Linux DAC will block access unless you are uid 0. In any event, you can enable system call auditing via the audit=1 kernel boot parameter or via auditctl -e 1. > Here's my situation: I have a customer who wants to audit specific > commands on specific files and directories, i.e., who's doing what to > whom and when. > > Is there an "easy" way to do something like that? > > Thanks, and I'll try not to bug you any more. I suspect that you don't actually want SELinux auditing here, as it is just of MAC permission checks, but instead want ordinary system call auditing. There is ongoing work to enhance the existing Linux audit framework and userspace tools toward that end, see the linux-audit mailing list. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
