avc messages getting separated

Linda Knippers linda.knippers at hp.com
Sun Mar 5 16:58:29 UTC 2006 

Steve Grubb wrote:
> Hi,
> 
> I was noticing a behavior that in the past we said should never happen. I was
> running the lspp.10 kernel and confirmed the same issue with a rawhide 
> kernel. The problem is that an event starts to output a record, and then 
> another event takes over, then the first event continues:

Do you recall why it should never happen?  I remember seeing that
behavior in the past and then it stopped but I wasn't following
the changes around the time to understand why.

-- ljk

> 
> type=AVC msg=audit(03/05/2006 07:58:36.011:19) : avc:  denied  { unlink } for  
> pid=1622 comm=mount name=blkid.tab.old dev=hda7 ino=11403719 
> scontext=system_u:system_r:mount_t:s0 tcontext=root:object_r:etc_t:s0 
> tclass=file
> ----
> type=PATH msg=audit(03/05/2006 07:58:36.015:20) : item=0 name=/bin/sh 
> flags=nonetype=CWD msg=audit(03/05/2006 07:58:36.015:20) :  cwd=/
> type=SYSCALL msg=audit(03/05/2006 07:58:36.015:20) : arch=x86_64 
> syscall=execve
> success=no exit=-13(Permission denied) a0=2ac24fcc014d a1=7fffff855ea0 
> a2=7fffff859d08 a3=8 items=1 pid=1623 auid=unknown(4294967295) uid=root 
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
> comm=avc_skel exe=/sbin/avc_skel
> type=AVC msg=audit(03/05/2006 07:58:36.015:20) : avc:  denied  { search } for  
> pid=1623 comm=avc_skel name=bin dev=hda7 ino=6258689 
> scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:bin_t:s0 
> tclass=dir
> ----
> type=PATH msg=audit(03/05/2006 07:58:36.011:19) : item=0 
> name=/etc/blkid.tab.old flags=parent inode=11403265 dev=03:07 mode=dir,755 
> ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(03/05/2006 07:58:36.011:19) :  cwd=/
> type=SYSCALL msg=audit(03/05/2006 07:58:36.011:19) : arch=x86_64 
> syscall=unlink
> success=no exit=-13(Permission denied) a0=617d30 a1=378f9070a4 a2=617d42 a3=0 
> items=1 pid=1622 auid=unknown(4294967295) uid=root gid=root euid=root 
> suid=root fsuid=root egid=root sgid=root fsgid=root comm=mount exe=/bin/mount
> 
> You should be able to find this in your logs if you are running with the lspp 
> rules. Look for the unlink syscall.
> 
> Any ideas?
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

More information about the Linux-audit mailing list