Re. 2.6.15-mm1
David Woodhouse
dwmw2 at infradead.org
Fri Jan 6 11:11:55 UTC 2006
On Fri, 2006-01-06 at 11:18 +0100, Etienne Lorrain wrote:
> > Please could you tell me the line of code which corresponds to
> > '__audit_inode+0xba/0x190'? Assuming your kernel was compiled
> > with debugging information, you can do this by loading your
> > vmlinux into gdb and issuing the command
> > 'list *__audit_inode+0xba'.
>
> I'll do that tonight, but I probably have to recompile.
OK, thanks. You shouldn't necessarily need to reproduce the problem;
just recompiling the offending file with identical CFLAGS (except of
course for adding -g) should suffice.
You can remove kernel/auditsc.o from your kernel tree, then run 'make
V=1' and it'll show you the precise gcc command line it uses to rebuild
that file. Cut and paste that command line, and add '-g' to it.
Then load the resulting object file into gdb and use the 'list' command
I showed. Ideally, check that the disassembly of that part of the file
really does match the Code: line in your oops -- but I'll ask you do to
that if it looks suspicious.
> > What audit rules had you entered? You shouldn't be seeing
> > this code path unless you've actually enabled auditing
> > for yourself.
>
> I did not touch the Fedora Core 4 configuration, I am sorry
> I do not have a clue of even where to find those rules - I
> did not read enough about this subject.
While I'm pleased it's helping us find a bug, it's quite unacceptable
that auditing was enabled on your system without your knowledge. It's an
esoteric requirement and enabling it makes the system much less
efficient. Please file a bug against the Fedora distribution.
--
dwmw2
More information about the Linux-audit
mailing list