[patch] fix syscall speedup patch mips typo

Linda Knippers linda.knippers at hp.com
Wed Mar 15 16:58:01 UTC 2006 

Hi Steve,

> We are starting to get problem reports with this patch. It appears that
> nothing sets ctime when the event is started via an avc. The patch below
> takes a stab at fixing this. Does it look correct?

I'm seeing this on my system running the .12 kernel and the 1.1.4 tools.
I'm seeing more than just the zero time and a bunch of SOCKETCALL
messages.  I also get a message of type UNKNOWN, more AVCs with the
same serial number and then the serial number increments and I get
a bunch more stuff.  See below.  What's type 1310?

-- ljk

type=USER_START msg=audit(1142413321.732:665): user pid=6451 uid=0 
auid=0 msg='PAM: session open acct=root : exe="/usr/sbin/crond" 
(hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1142413321.732:666): user pid=6451 uid=0 auid=0 
msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, 
terminal=cron res=success)'
type=AVC msg=audit(0.000:667): avc:  denied  { read } for  pid=6764 
comm="perl" name="resolv.conf" dev=dm-0 ino=4523009 
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=UNKNOWN[1310] msg=audit(0.000:667):  success=yes exit=3 items=0 
pid=6764 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) comm="perl" exe="/usr/bin/perl" 
subj=system_u:system_r:logwatch_t:s0-s15:c0.c255
type=SOCKADDR msg=audit(0.000:667): 
saddr=01002F7661722F72756E2F6E7363642F736F636B6574000000000000000029895600B4F75F00E4C6750948E18EBF3F7B500008C075098070830910A5770929895600F0AB8709F0AB870970688709BD785600A8CF8409B0CF840908000000B4F75F0058B179097300000048E08EBF
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=3 a1=bf8edf6e a2=6e
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=1 a1=1 a2=0
type=SOCKADDR msg=audit(0.000:667): 
saddr=01002F7661722F72756E2F6E7363642F736F636B6574006E5B0000000000000000002051AF0010000000201686091000000008C0750926A47709180000002C51AF00F43FAF002051AF002816860988DE8EBF6980A300FF7F0000281686090500000058DE8EBF10EA5C0020000000
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=3 a1=bf8edde6 a2=6e
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=1 a1=1 a2=0

(lots of stuff deleted..then more things with the same serial number)

type=AVC msg=audit(0.000:667): avc:  denied  { write } for  pid=6764 
comm="perl" laddr=16.116.96.237 lport=32773 faddr=16.64.64.51 fport=53 
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 
tcontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 tclass=udp_socket
type=AVC msg=audit(0.000:667): avc:  denied  { udp_send } for  pid=6764 
comm="perl" saddr=16.116.96.237 src=32773 daddr=16.64.64.51 dest=53 
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 
tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif
type=AVC msg=audit(0.000:667): avc:  denied  { udp_send } for  pid=6764 
comm="perl" saddr=16.116.96.237 src=32773 daddr=16.64.64.51 dest=53 
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 
tcontext=system_u:object_r:node_t:s0-s15:c0.c255 tclass=node
type=AVC msg=audit(0.000:667): avc:  denied  { send_msg } for  pid=6764 
comm="perl" saddr=16.116.96.237 src=32773 daddr=16.64.64.51 dest=53 
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
type=AVC msg=audit(0.000:667): avc:  denied  { sendto } for  pid=6764 
comm="perl" scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 
tcontext=system_u:object_r:unlabeled_t:s15:c0.c255 tclass=association
type=UNKNOWN[1310] msg=audit(0.000:667):  success=yes exit=45 items=0 
pid=6764 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) comm="perl" exe="/usr/bin/perl" 
subj=system_u:system_r:logwatch_t:s0-s15:c0.c255
type=SOCKETCALL msg=audit(0.000:667): nargs=4 a0=3 a1=bf8ed730 a2=2d a3=0
type=AVC msg=audit(0.000:668): avc:  denied  { udp_recv } for  pid=6443 
comm="floaters" saddr=16.64.64.51 src=53 daddr=16.116.96.237 dest=32773 
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 
tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif

More information about the Linux-audit mailing list