On Thu, 10 Jan 2002, Shaun Savage wrote:

> Is the a policy tag that would allow a audit trail? I see a audit on
> failure, but I would like to see audit trail on success also. I would
> assume success audit would require a tag
> audit zot_t zot_t:file read
> when executating in zot_t domain a read of a zot_t file would write
> something to the log.

By default, everything is audited on denial and nothing is audited on success. However, you can configure specific cases using the 'auditdeny' and 'auditallow' rules in the TE configuration. Typically, when using 'auditdeny' you are reducing the set of audited permissions, which is why those rules use '~' to obtain the complement of a set. An example of 'auditallow' might be to audit every use of avc_toggle, which can be achieved via:

        auditallow { initrc_t sysadm_t } kernel_t:system avc_toggle;

> Also is there a way to redirect the log to something other than syslog?

At present, SELinux simply uses the existing kernel logging facility, since developing an auditing subsystem was outside the scope of the project. Of course, you can tell klogd to log kernel messages somewhere other than syslog.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.