On 05/13/2014 09:56 AM, James B. Byrne wrote: > On Mon, May 12, 2014 14:05, Daniel J Walsh wrote: > >>> dac_read_search and dac_override are usually bad to add. They typically >>> mean the permission flags on the file in question is two tight for a >>> root process to read/use. >>> >>> Loosing up the group/other permissions would probably allow a root >>> process to read the object without requiring these capabities. >> I just wrote a quick blog on this. >> >> https://danwalsh.livejournal.com/69478.html >> >> > So, to turn on full path reporting I do this: > > # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules > # service auditd restart > > My question is: what is the effect that "-w /etc/shadow -p w" has on SELinux > with respect to reporting the full path of file names in AVCs? In other > words, why does that work? > This rule above does not effect SELinux at all, specifically. The rule above tells the audit system to generate an audit messages any time a process writes to /etc/shadow. It has the side effect of telling the kernel to turn on full audit. Full audit gathers full paths before making a syscall, so if SELinux blocks a syscall, the PATH record gets generated. The problem with turning this on by default, it it has a fairly large performance hit. ~5%. We only want to turn on full auditing for people who require it.