# This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl.
# First rule - delete all -D
# Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -S chroot #-a exit,always -S chdir -F obj_type=dhclient_t
I don't know the rule syntax, but just looking at the source, it
appears
to me that the rule on line 15 is malformed (at least compared to the others).
All of those rules look fine for audit package > 1.3 and kernel probably > 2.6.21. But those rules are not default and would have taken some research to come up with since I know of no public examples of auditing by selinux context.
-Steve
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Sunday 21 October 2007, Steve G wrote: [...]
# Feel free to add below this line. See auditctl man page
-a exit,always -S chroot #-a exit,always -S chdir -F obj_type=dhclient_t
I don't know the rule syntax, but just looking at the source, it
appears
to me that the rule on line 15 is malformed (at least compared to the others).
All of those rules look fine for audit package > 1.3 and kernel probably > 2.6.21. But those rules are not default and would have taken some research to come up with since I know of no public examples of auditing by selinux context.
So what should line 15 look like today?
selinux@lists.fedoraproject.org