https://bugzilla.novell.com/show_bug.cgi?id=130049#c6
John Johansen changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjohansen@novell.com
AssignedTo|msvec@novell.com |jjohansen@novell.com
--- Comment #6 from John Johansen 2007-11-15 19:14:28 MST ---
The ability to control auditing and quieting of events in apparmor has been
prototyped and is likely to show up in SL10.4/SLES 11.
The prototype currently works as follows. The deny rules and the audit keyword
have been added. Deny rules allow profiles to store what has been explicitly
denied so they will not be asked for again during profiling. They also by
default quiet the rejection messages. The audit keyword forces an audit or
reject message to be logged when a given rule is matched.
So for the above example
! /etc/shadow r, # don't allow reads and don't log read rejects to
/etc/shadow
! /etc/shadow rw, # same as above except for read and write
to force a denial to be logged the deny rule can be removed (but then the
tools will prompt for it in profile learning), or the audit tag can be added.
audit ! /etc/shadow rw, # audit rw rejects to /etc/shadow but tools won't
prompt
The audit keyword can be used to force positive rules to allows log a match
audit /etc/shadow w, # allows log when /etc/shadow is updated.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
