Marius Ghita ghita.v.marius@gmail.com writes:
I have the following audit message
Raw Audit Messages type=AVC msg=audit(1687022594.74:347): avc: denied { mmap_zero } for pid=3953 comm="check" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0
spc_t is used for privileged root mode containers
This warning gets triggered from time to time around system startup, and I cannot find the process involved. The name check is too generic to use the locate command and the process is no longer running by the time I would have the chance to peek at the PID.
auditd is configured to suppress audit event generation by default:
# auditctl -l -a never,task
It means that you see only AVC type in audit log, e.g:
# ausearch -m avc -ts recent ---- time->Tue Jun 20 05:44:14 2023 type=AVC msg=audit(1687254254.954:409): avc: denied { entrypoint } for pid=1307 comm="runcon" path="/usr/bin/ls" dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
In order to get more information related to AVC you need to drop "never,task" rule:
# auditctl -D
After that new audit events will contain more information:
# ausearch -m avc -ts 05:48:02 ---- type=PROCTITLE msg=audit(06/20/2023 05:48:04.898:416) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls type=SYSCALL msg=audit(06/20/2023 05:48:04.898:416) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffcc618b5df a1=0x7ffcc6189488 a2=0x7ffcc6189498 a3=0x60 items=0 ppid=1207 pid=1323 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/20/2023 05:48:04.898:416) : avc: denied { entrypoint } for pid=1323 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
You can also enable a full auditing and get even more information:
# auditctl -w /etc/shadow -p w
...
# ausearch -m avc -i -ts 05:52:02 ---- type=PROCTITLE msg=audit(06/20/2023 05:52:31.059:419) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls type=PATH msg=audit(06/20/2023 05:52:31.059:419) : item=0 name=/bin/ls inode=151456 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/20/2023 05:52:31.059:419) : cwd=/root type=SYSCALL msg=audit(06/20/2023 05:52:31.059:419) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffc5b8945df a1=0x7ffc5b893708 a2=0x7ffc5b893718 a3=0x60 items=1 ppid=1207 pid=1335 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/20/2023 05:52:31.059:419) : avc: denied { entrypoint } for pid=1335 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
If you need this changes to be persistent you need to edit /etc/audit/rules.d/audit.rules