On Wed 05-03-25 16:33:19, Richard Guy Briggs wrote:
> When no audit rules are in place, fanotify event results are
> unconditionally dropped due to an explicit check for the existence of
> any audit rules. Given this is a report from another security
> sub-system, allow it to be recorded regardless of the existence of any
> audit rules.
>
> To test, install and run the fapolicyd daemon with default config. Then
> as an unprivileged user, create and run a very simple binary that should
> be denied. Then check for an event with
> ausearch -m FANOTIFY -ts recent
>
> Link: https://issues.redhat.com/browse/RHEL-1367
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
I don't know enough about security modules to tell whether this is what
admins want or not so that's up to you but:
> -static inline void audit_fanotify(u32 response, struct
> fanotify_response_info_audit_rule *friar)
> -{
> - if (!audit_dummy_context())
> - __audit_fanotify(response, friar);
> -}
> -
I think this is going to break compilation with !CONFIG_AUDITSYSCALL &&
CONFIG_FANOTIFY?
Honza
--
Jan Kara <j...@suse.com>
SUSE Labs, CR
