avc messages corrupted?
Tom London
selinux at gmail.com
Sun Apr 24 17:38:11 UTC 2005
On 4/23/05, Tom London <selinux at gmail.com> wrote:
> Running targeted/enforcing, latest rawhide (.1261)
>
> Examining /var/log/messages, I notice some 'corrupted' avc messages, e.g.:
>
> Apr 23 13:05:33 localhost kernel: audit(1114286729.835:0): avc:
> denied { search } for name=3228 dev=proc ino=211550210
> scontext=system_u:system_r:initss=dir
>
> Apr 23 13:06:31 localhost kernel: audit(1114286790.120:0): avc:
> denied { search } for name=3228 dev=proc ino=211550210
> scontext=system_u:system_r:i127:0): avc: denied { search } for
> name=1780 dev=proc ino=116654082 scontext=system_u:system_r:init_t
> tcontext=system_u:system_r:kernel_t tclass=dir
>
> Apr 23 13:06:41 localhost kernel: audit(1114286800.202:0): avc:
> denied { search } for name=3 dev=proc ino=196610
> scontext=system_u:system_r:inystem_r:init_t
> tcontext=system_u:system_r:kernel_t tclass=dir
>
> [initss? i127? inystem? there are more....]
>
> Is there a lock problem with auditing?
> tom
Hmmm, is this an instance of this problem in audit?
tom
---------------------------------------------------------------------
This sounds like an old kernel bug. There was a patch on the audit
mail list that
fixes it. It is pending being merged in the mm kernel. It only affects syslog
messages. If you use the audit daemon, you won't see the problem.
-Steve Grubb
--- linux/kernel/audit.c.orig 2005-02-16 13:49:28.839925080 -0500
+++ linux/kernel/audit.c 2005-02-16 13:53:24.757060224 -0500
@@ -513,8 +513,8 @@
if (!audit_pid) { /* No daemon */
int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
int len = skb->len - offset;
- printk(KERN_ERR "%*.*s\n",
- len, len, skb->data + offset);
+ skb->data[offset + len] = '\0';
+ printk(KERN_ERR "%s\n", skb->data + offset);
}
kfree_skb(skb);
ab->nlh = NULL;
--
Tom London
More information about the fedora-selinux-list
mailing list