Deleted directory path not recorded when running rmdir with slash at directory path end

If I run the rmdir command with a directory path with a slash at its end, Audit doesn't record the deleted directory path. Audit rule: -a always,exit -F dir=/sasdata -F arch=b64 -S creat -S open -S openat -S unlink -S unlinkat -S symlink -S symlinkat -S link -S linkat -S rename -S renameat -S chmo

Quick announcement on the selinux/next and audit/next branches

Hello all, As many of you are aware, normally with the close of the merge window and the release of -rc1 I typically reset the selinux/next and audit/next branches to Linus' -rc1 tag. However, as you may have heard already, there is a nasty problem with the early v5.12 kernels, including -rc1, wh

Re: [RFC PATCH 1/4] lsm: separate security_task_getsecid() into subjective and objective variants

On Thu, Mar 4, 2021 at 5:04 AM Jeffrey Vander Stoep wrote: > On Sat, Feb 20, 2021 at 3:45 PM Paul Moore wrote: > > On Fri, Feb 19, 2021 at 9:57 PM James Morris wrote: > > > On Fri, 19 Feb 2021, Paul Moore wrote: > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > > > ind

Re: [RFC PATCH 0/4] Split security_task_getsecid() into subj and obj variants

On Wed, Mar 3, 2021 at 9:21 PM Casey Schaufler wrote: > On 3/3/2021 4:46 PM, Paul Moore wrote: ... > > Assuming you are still good with these changes Casey, any chance I can > > get an ACK on the LSM and Smack patches? > > Yes. You can add my: > > Acked-by: Casey Schaufler > > to both. Done, t

Re: [RFC PATCH 1/4] lsm: separate security_task_getsecid() into subjective and objective variants

On Sat, Feb 20, 2021 at 3:45 PM Paul Moore wrote: > > On Fri, Feb 19, 2021 at 9:57 PM James Morris wrote: > > On Fri, 19 Feb 2021, Paul Moore wrote: > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > > index c119736ca56ac..39d501261108d 100644 > > > --- a/drivers/android/b

Re: auditd daemon is changing /tmp permissions

Hello, On Thursday, March 4, 2021 10:45:03 AM EST Ivan Castell wrote: > Just testing different versions of audit, discovered that version 2.8.5 and > 3.0.1 are changing permissions of /tmp from 1777 to 700. This is a problem > as normal non-root users can't write in /tmp after starting autitd. >

auditd daemon is changing /tmp permissions

Hello all. Just testing different versions of audit, discovered that version 2.8.5 and 3.0.1 are changing permissions of /tmp from 1777 to 700. This is a problem as normal non-root users can't write in /tmp after starting autitd. The problem is related with the daemon, as commenting this call: