[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: avc messages corrupted?



On Sun, 2005-04-24 at 10:38 -0700, Tom London wrote:
> On 4/23/05, Tom London <selinux gmail com> wrote:
> > Running targeted/enforcing, latest rawhide (.1261)
> > 
> > Examining /var/log/messages, I notice some 'corrupted' avc messages, e.g.:
> > 
> > Apr 23 13:05:33 localhost kernel: audit(1114286729.835:0): avc:
> > denied  { search } for  name=3228 dev=proc ino=211550210
> > scontext=system_u:system_r:initss=dir
> > 
> > Apr 23 13:06:31 localhost kernel: audit(1114286790.120:0): avc:
> > denied  { search } for  name=3228 dev=proc ino=211550210
> > scontext=system_u:system_r:i127:0): avc:  denied  { search } for
> > name=1780 dev=proc ino=116654082 scontext=system_u:system_r:init_t
> > tcontext=system_u:system_r:kernel_t tclass=dir
> > 
> > Apr 23 13:06:41 localhost kernel: audit(1114286800.202:0): avc:
> > denied  { search } for  name=3 dev=proc ino=196610
> > scontext=system_u:system_r:inystem_r:init_t
> > tcontext=system_u:system_r:kernel_t tclass=dir
> > 
> > [initss? i127? inystem?  there are more....]
> > 
> > Is there a lock problem with auditing?
> > tom
> 
> Hmmm, is this an instance of this problem in audit? 

Yes, looks like it, and the bug goes back to when SELinux was first
converted to using the 2.6 audit framework; people were seeing it back
in FC2 times.

Note btw that the absence of the pid= and exe= information is a separate
issue; that is due to the patch that moved that logging to the audit
framework, so you need to enable syscall auditing to retain it.  Boot
your kernel with audit=1 or use auditctl -e 1 to enable.

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]