avc messages getting separated
Linda Knippers
linda.knippers at hp.com
Sun Mar 5 16:58:29 UTC 2006
Steve Grubb wrote:
> Hi,
>
> I was noticing a behavior that in the past we said should never happen. I was
> running the lspp.10 kernel and confirmed the same issue with a rawhide
> kernel. The problem is that an event starts to output a record, and then
> another event takes over, then the first event continues:
Do you recall why it should never happen? I remember seeing that
behavior in the past and then it stopped but I wasn't following
the changes around the time to understand why.
-- ljk
>
> type=AVC msg=audit(03/05/2006 07:58:36.011:19) : avc: denied { unlink } for
> pid=1622 comm=mount name=blkid.tab.old dev=hda7 ino=11403719
> scontext=system_u:system_r:mount_t:s0 tcontext=root:object_r:etc_t:s0
> tclass=file
> ----
> type=PATH msg=audit(03/05/2006 07:58:36.015:20) : item=0 name=/bin/sh
> flags=nonetype=CWD msg=audit(03/05/2006 07:58:36.015:20) : cwd=/
> type=SYSCALL msg=audit(03/05/2006 07:58:36.015:20) : arch=x86_64
> syscall=execve
> success=no exit=-13(Permission denied) a0=2ac24fcc014d a1=7fffff855ea0
> a2=7fffff859d08 a3=8 items=1 pid=1623 auid=unknown(4294967295) uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=avc_skel exe=/sbin/avc_skel
> type=AVC msg=audit(03/05/2006 07:58:36.015:20) : avc: denied { search } for
> pid=1623 comm=avc_skel name=bin dev=hda7 ino=6258689
> scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:bin_t:s0
> tclass=dir
> ----
> type=PATH msg=audit(03/05/2006 07:58:36.011:19) : item=0
> name=/etc/blkid.tab.old flags=parent inode=11403265 dev=03:07 mode=dir,755
> ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(03/05/2006 07:58:36.011:19) : cwd=/
> type=SYSCALL msg=audit(03/05/2006 07:58:36.011:19) : arch=x86_64
> syscall=unlink
> success=no exit=-13(Permission denied) a0=617d30 a1=378f9070a4 a2=617d42 a3=0
> items=1 pid=1622 auid=unknown(4294967295) uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root comm=mount exe=/bin/mount
>
> You should be able to find this in your logs if you are running with the lspp
> rules. Look for the unlink syscall.
>
> Any ideas?
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list