audit 1.2.2 released
Michael C Thompson
thompsmc at us.ibm.com
Mon May 15 20:14:13 UTC 2006
Steve Grubb wrote:
> On Monday 15 May 2006 15:57, Michael C Thompson wrote:
>> auditctl is still reporting the "error sending rule" problem. Here are
>> my auditctl and kernel versions:
>>
>> auditctl version 1.2.2
>> 2.6.16-1.2200.2.2_FC6.lspp.25
>>
>> # auditctl -l
>> Error sending rule list request (Operation not permitted)
>
> This is not the error sending rule problem. This looks like a permission
> problem. What selinux policy and role are you doing this from? Are there any
> relevant AVCs in the audit logs from this time?
>
> -Steve
This is a transcript from Permissive mode, with role being staff_r. I do
not see the "Error sending rule list request (Operation not permitted)"
when SELinux is disabled (selinux=0) or when as auditadm_r at SystemHigh.
# auditctl -l
Error sending rule list request (Operation not permitted)
[ resulting log activity:
type=AVC msg=audit(1147657744.953:39): avc: denied { nlmsg_readpriv }
for pid=2091 comm="auditctl"
scontext=root:staff_r:staff_t:s0-s15:c0.c255
tcontext=root:staff_r:staff_t:s0-s15:c0.c255 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1147657744.953:39): arch=40000003 syscall=102
success=yes exit=16 a0=b a1=bfad2760 a2=805b0f8 a3=10 items=0 ppid=2067
pid=2091 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="auditctl" exe="/sbin/auditctl"
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=SOCKADDR msg=audit(1147657744.953:39): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1147657744.953:39): nargs=6 a0=3 a1=bfad69fc
a2=10 a3=0 a4=bfad2790 a5=c
]
# auditctl -l
No rules
[ no log activity ]
Why does auditctl report a denial for the 1st attempt, and not for later
attempts?
Thanks,
Mike
More information about the Linux-audit
mailing list