Re: mangled audit messages
On Thu, 2004-10-21 at 13:06, Colin Walters wrote:
On my FC2 server, running strict policy, I am seeing a lot of these:
audit(1098309975.693:0): avc:
denied { getattr } for pid=12283 exe=/usr/sbin/sshd
audit(1098309977.469:0): avc:
denied { getattr } for pid=12293 exe=/usr/sbin/sshd
audit(1098309984.374:0): avc:
denied { getattr } for pid=12319 exe=/usr/sbin/sshd
audit(1098309985.817:0): avc:
denied { getattr } for pid=12325 exe=/usr/sbin/sshd
Note the large amount of odd leading whitespace, and the lack of any
additional information. Does anyone know anything about this?
I've seen this before, although not recently, and it has been reported
on this list by at least Russell Coker and Tom London. Seems to be
difficult to reproduce reliably. I don't know if there is a bugzilla on
it. Rik Faith, who wrote the audit framework, thought it looked similar
to an earlier bug in the audit code that he had fixed. I think Peter is
presently maintaining the code, cc'd.
What kernel are you running?
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency