>If I'm reading this correctly, this could be a "Using SELinux to >perform self-auditing" (or whatever) topic, including why you would do that, >why SELinux is a good way to do it, SE Linux is the wrong approach for this. This is more in the domain of what the audit system does. A simple case of auditing root actions is handled by this: -a always,entry -S execve -F "auid>500" -F uid=0 This will capture all execve parameters for people that logged in with normal user account and have changed uid to root. You have to forbid peoople logging in directly as root, too. It might be better if we update bash to log commands instead of getting every execve. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
