On 4/23/05, Tom London <selinux(a)gmail.com> wrote:
Running targeted/enforcing, latest rawhide (.1261)
Examining /var/log/messages, I notice some 'corrupted' avc messages, e.g.:
Apr 23 13:05:33 localhost kernel: audit(1114286729.835:0): avc:
denied { search } for name=3228 dev=proc ino=211550210
scontext=system_u:system_r:initss=dir
Apr 23 13:06:31 localhost kernel: audit(1114286790.120:0): avc:
denied { search } for name=3228 dev=proc ino=211550210
scontext=system_u:system_r:i127:0): avc: denied { search } for
name=1780 dev=proc ino=116654082 scontext=system_u:system_r:init_t
tcontext=system_u:system_r:kernel_t tclass=dir
Apr 23 13:06:41 localhost kernel: audit(1114286800.202:0): avc:
denied { search } for name=3 dev=proc ino=196610
scontext=system_u:system_r:inystem_r:init_t
tcontext=system_u:system_r:kernel_t tclass=dir
[initss? i127? inystem? there are more....]
Is there a lock problem with auditing?
tom
Hmmm, is this an instance of this problem in audit?
tom
---------------------------------------------------------------------
This sounds like an old kernel bug. There was a patch on the audit
mail list that
fixes it. It is pending being merged in the mm kernel. It only affects syslog
messages. If you use the audit daemon, you won't see the problem.
-Steve Grubb
--- linux/kernel/audit.c.orig 2005-02-16 13:49:28.839925080 -0500
+++ linux/kernel/audit.c 2005-02-16 13:53:24.757060224 -0500
@@ -513,8 +513,8 @@
if (!audit_pid) { /* No daemon */
int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
int len = skb->len - offset;
- printk(KERN_ERR "%*.*s\n",
- len, len, skb->data + offset);
+ skb->data[offset + len] = '\0';
+ printk(KERN_ERR "%s\n", skb->data + offset);
}
kfree_skb(skb);
ab->nlh = NULL;
--
Tom London