On 05/24/2011 12:45 PM, Mr Dash Four wrote:
> I think no, the man page is not so clear IMHO but the error message
> is, and i also read the code (sure i could be wrong) . BTW, you can
> add on the top of the audit rule that exclude ALL the USER_ACCT
That's an overkill and completely unsuitable in what I am trying to do -
I need more fine-grained match. I can't just disable *all* auditing on
USER_ACCT-type messages - this would open the door to possible
intrusions, which I won't be able to see if I disable all USER_ACCT-type
messages. Not a chance of that ever happening!
> -A exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k open
>
I don't yet know what type of syscalls (if any) there could be. Besides,
there is nowhere I could find a fairly complete list of those. I have
email to see if I could get on the audit list and ask somebody there for
advice as I am still in denial that I couldn't enable more fine-grained
filter on this.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
How about a rule like:
auditctl -a user,never -F subj_type=crond_t