On 05/24/2011 10:10 PM, Mr Dash Four wrote: > >> How about a rule like: >> >> auditctl -a user,never -F subj_type=crond_t >> > Not very helpful, I am afraid - crond_t could "misbehave" in different > ways, hence why I also need to limit by message type as well as a bare > minimum. Is this something which is restricted by the kernel or the daemon? You are only excluding 'user' messages. I don't know the list of which msg types are 'user' messages off the top of my head, but it isn't that long. I don't believe that crond sends any other user messages (but it wouldn't be the first time I was wrong). You would still audit things like AVC denials for cron or or any syscall audit rules you have. Basically that is going to deny all audit messages that cron explicitly sent to the audit system, but not messages generated by the kernel for cron. -Eric -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
