Re: useradd - audit_write ?
On 7/13/06, Steve G <linux_4ever(a)yahoo.com> wrote:
>Yes, another program instrumented for audit generation, needs that
>capability.
There's a lot of them. Someone needs to look at all the places where
CAP_AUDIT_WRITE and CONTROL were and update the policy. This broke about 2-3
weeks ago. This stuff used to work.
>Why wasn't this taken care of when these programs were originally
>instrumented for audit?
They were. Something broke a couple weeks ago. Look back when someone reported
the hwclock problem. That's when all this occurred. I thought it would have been
fixed, too.
-Steve
Also one for groupadd:
type=AVC msg=audit(1152800976.477:60): avc: denied { audit_write }
for pid=5737 comm="groupadd" capability=29
scontext=user_u:system_r:groupadd_t:s0
tcontext=user_u:system_r:groupadd_t:s0 tclass=capability
type=USER_CHAUTHTOK msg=audit(1152800976.477:61): user pid=5737 uid=0
auid=500 subj=user_u:system_r:groupadd_t:s0 msg='op=adding group
acct=rpm exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=?
res=failed)'
type=SYSCALL msg=audit(1152800976.477:60): arch=40000003 syscall=102
success=yes exit=112 a0=b a1=bfaf66e0 a2=6ecff4 a3=bfafcb2e items=0
ppid=5736 pid=5737 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="groupadd" exe="/usr/sbin/groupadd"
subj=user_u:system_r:groupadd_t:s0 key=(null)
type=SOCKADDR msg=audit(1152800976.477:60): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1152800976.477:60): nargs=6 a0=3 a1=bfafa97c
a2=70 a3=0 a4=bfaf6710 a5=c
--
Tom London