Re: Auditing file access

On Mon, 2005-11-14 at 20:11 +0000, Eric Howard wrote:
> Following up on some instructions I found in the list archives (posted by 
> Stephen Smalley), I set up the following policy (local.te) for a stock RHEL 
> AS 4 build (using the targeted policy source)
> 
> # Allow all user domains to create and modify these files.
> allow userdomain audited_file_t:dir create_dir_perms;
> allow userdomain audited_file_t:{ file lnk_file } create_file_perms;
> # Audit all accesses by user domains to these files.
> auditallow userdomain audited_file_t:{ dir file lnk_file } *
> 
> I also set my grub.conf to set audit=1 and also set 'auditctl -e 1'
> 
> I created a directory off of root called /testdir and assigned it the 
> following context: user_u:object_r:audited_file_t
> 
> I was hoping that all file activity in this directory would be logged but 
> this does not seem to be happening.  Is there something I am missing?

I suspect that the problem here is that you are using targeted policy,
and targeted policy doesn't deal with user domains.  Targeted policy
only tries to confine specific daemons, not users.  Hence, you likely
want your auditallow rule to be in terms of unconfined_t rather than
userdomain.

But note that RHEL4 Update ?2? should include enhanced auditing support,
so you shouldn't even need SELinux per se to apply auditing if that is
all you want (i.e. you don't care about mandatory access control).
auditctl and auditd should let you configure your auditing directly
without dealing with SELinux policy.

-- 
Stephen Smalley
National Security Agency