audit 1.2.2 released
Steve Grubb
sgrubb at redhat.com
Tue May 16 15:23:14 UTC 2006
On Tuesday 16 May 2006 10:53, Michael C Thompson wrote:
> I've "enchanced" this transcript with strace output (selective) and the
> return code of the selinux_socket_recvmsg call.
>
> > # auditctl -l
>
> sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
> {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
> poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1
> recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\322\7\0\0\377\377\377\377\20\0"...,
> 8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
> groups=00000000}, [12]) = 36
> -> selinux_sock_recvmsg returns 0
>
> recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\322\7\0\0\377\377\377\377\20\0"...,
> 8476, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
> [12]) = 36
> -> selinux_sock_recvmsg returns 0
This return code says -EPERM.
> > # auditctl -l
>
> sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
> {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
> poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1
>
> recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\326\7\0\0\0\0\0\0\20\0\0\0\365"...,
> 8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
> groups=00000000}, [12]) = 36
> -> selinux_sock_recvmsg returns 0
This return code shows the kernel has data.
> I do not know enough of about the auditctl code, but to me this looks
> like auditctl is failing to issue the 3rd recvfrom syscall.
When it gets the answer, EPERM, there's no need to do anything else cause the
kernel rejected the request.
-Steve
More information about the Linux-audit
mailing list