>I set up the following policy (local.te) for a stock RHEL AS 4 build >(using the targeted policy source) As Stephen said, RHEL4 has file auditing in it if you upgrade to U2. There is a file /etc/audit.rules where you would put any audit rules that you want. There is another file, capp.rules that is put in the audit package's docs dir that gives you a sample CAPP configuration. In any event, to watch write's to passwd, you would add the following line to /etc/audit.rules. -w /etc/passwd -p w If you put the watch to a directory, you will get updates to the directory entries which may miss events. Fedora does not have the ability to watch files at this point because the patch was rejected due to overlapping hooks with inotify. A new patch will be sent upstream soon so that fedora will have this ability at some point. -Steve __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
