On Tuesday, November 22, 2016 2:47:15 PM EST Stephen Smalley wrote: > >> At present, we only generate AUDIT_MAC_STATUS, AUDIT_MAC_LOAD, and > >> AUDIT_MAC_CONFIG_CHANGE on success (or at least partial success). If > >> you truly need to audit failures, then it seems like you either need to > >> a) do it through syscall audit filters, which already provide a success= > >> field > > > > I can't imagine what to audit on. There is an open syscall that has a > > path. But I suspect that does not fail because policy has not be written. > > There is a write syscall but triggering on that is pretty generic. This is > > not ideal. > > Can't you write an audit syscall filter or watch on > /sys/fs/selinux/load? Ditto for /sys/fs/selinux/enforce, > /sys/fs/selinux/commit_pending_bools, etc. Yes, you can. But this is for the open syscall. sel_write_load() is the function where the auditing is done but its mapped to the .write member of sel_load_ops. Auditing on write is not a good thing. So, if AUDIT_MAC_POLICY_LOAD must only appear when there is success, then its best to create a second event for failure and hard code the 'res' fields for both. -Steve _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
