On 05/24/2011 12:45 PM, Mr Dash Four wrote: > >> I think no, the man page is not so clear IMHO but the error message >> is, and i also read the code (sure i could be wrong) . BTW, you can >> add on the top of the audit rule that exclude ALL the USER_ACCT > That's an overkill and completely unsuitable in what I am trying to do - > I need more fine-grained match. I can't just disable *all* auditing on > USER_ACCT-type messages - this would open the door to possible > intrusions, which I won't be able to see if I disable all USER_ACCT-type > messages. Not a chance of that ever happening! > >> -A exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k open >> > I don't yet know what type of syscalls (if any) there could be. Besides, > there is nowhere I could find a fairly complete list of those. I have > email to see if I could get on the audit list and ask somebody there for > advice as I am still in denial that I couldn't enable more fine-grained > filter on this. > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux How about a rule like: auditctl -a user,never -F subj_type=crond_t -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
