avc messages corrupted?
Stephen Smalley
sds at tycho.nsa.gov
Mon Apr 25 12:56:32 UTC 2005
On Sun, 2005-04-24 at 10:38 -0700, Tom London wrote:
> On 4/23/05, Tom London <selinux at gmail.com> wrote:
> > Running targeted/enforcing, latest rawhide (.1261)
> >
> > Examining /var/log/messages, I notice some 'corrupted' avc messages, e.g.:
> >
> > Apr 23 13:05:33 localhost kernel: audit(1114286729.835:0): avc:
> > denied { search } for name=3228 dev=proc ino=211550210
> > scontext=system_u:system_r:initss=dir
> >
> > Apr 23 13:06:31 localhost kernel: audit(1114286790.120:0): avc:
> > denied { search } for name=3228 dev=proc ino=211550210
> > scontext=system_u:system_r:i127:0): avc: denied { search } for
> > name=1780 dev=proc ino=116654082 scontext=system_u:system_r:init_t
> > tcontext=system_u:system_r:kernel_t tclass=dir
> >
> > Apr 23 13:06:41 localhost kernel: audit(1114286800.202:0): avc:
> > denied { search } for name=3 dev=proc ino=196610
> > scontext=system_u:system_r:inystem_r:init_t
> > tcontext=system_u:system_r:kernel_t tclass=dir
> >
> > [initss? i127? inystem? there are more....]
> >
> > Is there a lock problem with auditing?
> > tom
>
> Hmmm, is this an instance of this problem in audit?
Yes, looks like it, and the bug goes back to when SELinux was first
converted to using the 2.6 audit framework; people were seeing it back
in FC2 times.
Note btw that the absence of the pid= and exe= information is a separate
issue; that is due to the patch that moved that logging to the audit
framework, so you need to enable syscall auditing to retain it. Boot
your kernel with audit=1 or use auditctl -e 1 to enable.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list