You can use auditallow statements in the .te files to enable auditing of allowed/granted permissions. Same syntax as allow rules. So, for example, if you mirrored every allow rule with a corresponding auditallow rule, you'd see every access granted (as an avc: granted log message). However, this will likely flood the logs and DOS your system, so I'd recommend being more selective. The other approach would be to write some audit syscall filters in audit.rules based on SELinux context.
On Fri, Feb 28, 2014 at 8:31 PM, Ruowen Wang <[email protected]> wrote: > Hi SEAndroid, > > I am trying to capture all operations (mainly system calls) of a specific > domain type, such as platform_app. I do want to keep all duplicated denials > of a specific domain type along with every related system calls in the audit > log for my analysis. > > I am reading the code in selinux/avc.c. I think the functions "avc_audit, > slow_avc_audit" should be related to this. Suppose the domain type I want is > "platform_app", is it possible to first check the ssid/tsid of platform_app > and then bypass the audited checking, which can force it to call > slow_avc_audit? > > Furthermore, if later on I want to focus on another domain, such as > media_app, it is possible to pass the domain type as an argument from user > space to the selinux avc module to do the above job? I notice the "auditd" > daemon has some ways to send some info to the kernel. Can I use that? > > Thanks in advance. > > ---- > Best Regards! > Ruowen > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
