avc messages getting separated
Steve Grubb
sgrubb at redhat.com
Sun Mar 5 13:19:14 UTC 2006
Hi,
I was noticing a behavior that in the past we said should never happen. I was
running the lspp.10 kernel and confirmed the same issue with a rawhide
kernel. The problem is that an event starts to output a record, and then
another event takes over, then the first event continues:
type=AVC msg=audit(03/05/2006 07:58:36.011:19) : avc: denied { unlink } for
pid=1622 comm=mount name=blkid.tab.old dev=hda7 ino=11403719
scontext=system_u:system_r:mount_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
----
type=PATH msg=audit(03/05/2006 07:58:36.015:20) : item=0 name=/bin/sh
flags=nonetype=CWD msg=audit(03/05/2006 07:58:36.015:20) : cwd=/
type=SYSCALL msg=audit(03/05/2006 07:58:36.015:20) : arch=x86_64
syscall=execve
success=no exit=-13(Permission denied) a0=2ac24fcc014d a1=7fffff855ea0
a2=7fffff859d08 a3=8 items=1 pid=1623 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=avc_skel exe=/sbin/avc_skel
type=AVC msg=audit(03/05/2006 07:58:36.015:20) : avc: denied { search } for
pid=1623 comm=avc_skel name=bin dev=hda7 ino=6258689
scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:bin_t:s0
tclass=dir
----
type=PATH msg=audit(03/05/2006 07:58:36.011:19) : item=0
name=/etc/blkid.tab.old flags=parent inode=11403265 dev=03:07 mode=dir,755
ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/05/2006 07:58:36.011:19) : cwd=/
type=SYSCALL msg=audit(03/05/2006 07:58:36.011:19) : arch=x86_64
syscall=unlink
success=no exit=-13(Permission denied) a0=617d30 a1=378f9070a4 a2=617d42 a3=0
items=1 pid=1622 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=mount exe=/bin/mount
You should be able to find this in your logs if you are running with the lspp
rules. Look for the unlink syscall.
Any ideas?
-Steve
More information about the Linux-audit
mailing list