Closed petervo closed 7 years ago
The easiest way is to turn on full auditing adding by an audit rule like this:
# auditctl -D
# auditctl -w /etc/shadow -p w
or change /etc/audit/rules.d/audit.rules
and restart auditd
Looking for pathname using inode could take a long time. Some information related to this problem can be found at http://danwalsh.livejournal.com/34903.html
@bachradsusi thanks that makes sense. We need to generate some sort of automatically fixable errors for tests. Are there any automatically fixable rules that don't require us to do this? Or is using auditctl to turn on fully auditing the best way to go?
I'm afraid that only reliable solution for now is to turn full auditing on using -w /etc/shadow -p w
. Or you can run a system in permissive mode to get AVC denial messages for open
syscall which already contains path=
element.
Ok, thanks for your help.
Say I have the following selinux error.
sealert is not able to suggest an automatic restorecon fix. If i manually edit the message to add a path field
path="/root/.ssh/authorized_keys"
it is able to fine it. I would have thought that between the dev and ino fields seleart would be able to find the path. But either way, is there a way to either get selinux to put paths in the log or get sealert to find paths from dev + ino.Tested with the latest packages on f27.