noon
First post here (my apology to the moderator - first post actually was from
the wrong email address and is awaiting your approval)
I hope someone knows what the following is about. When I
shutdown or reboot, I'm getting the following messages:
--------------------- Selinux Audit Begin ------------------------
**Unmatched Entries** (Only first 10 out of 24 are printed)
The audit daemon is exiting.
audit: *NO* daemon at audit_pid=1920
audit(1122429286.858:9676498): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf9e3470 a2=80510f8 a3=0 items=0 pid=29548 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122429286.858:9676498): saddr=100000000000000000000000
audit(1122429286.858:9676498): nargs=6 a0=3 a1=bf9e55cc a2=10 a3=0
a4=bf9e7768 a5=c
audit(1122429286.959:9676518): SELinux: unrecognized netlink message
type=1009 for sclass=49
audit(1122429286.959:9676518): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf9e3450 a2=80510f8 a3=0 items=0 pid=29548 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122429286.959:9676518): saddr=100000000000000000000000
audit(1122429286.959:9676518): nargs=6 a0=3 a1=bf9e55ac a2=10 a3=0
a4=bf9e7748 a5=c
Init complete, auditd 0.9.15 listening for events
This is from my logs, but it looks just like this on my screen as the shutdown
is occurring. I did some research on this and have gained a layman's
understanding of netlink, but I couldn't figure out how to troubleshoot the
problem.
--
Claude Jones
Bluemont, VA, USA
12:29 p.m.
but it looks just like this on my screen as the shutdown
is occurring.
This is "normal". The userspace utilities are waiting for some kernel patches
to
be applied. This should all sync up eventually.
-Steve
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
8:45 p.m.
On Wed July 27 2005 1:29 pm, Steve G wrote:
>but it looks just like this on my screen as the shutdown
>is occurring.
This is "normal". The userspace utilities are waiting for some kernel
patches to be applied. This should all sync up eventually.
Thanks, Steve. I'm going to make an attempt to start understanding Selinux
over the next period, so if I ask uninformed questions, forgive me. I have
been reading up on it but it's still a very murky subject for me. I
understand the concept of it fairly well, but the devil's in the
implementation. Tonight, a yum update picked up new versions of audit,
audit-libs, and audit-libs-devel. Are these the kinds of patches you're
referring to?
--
Claude Jones
Bluemont, VA, USA
7:18 a.m.
Tonight, a yum update picked up new versions of audit, audit-libs,
and
audit-libs-devel. Are these the kinds of patches you're referring to?
Not really. The main thing about this round of updates is that it quietens
messages that are caused by delete file system watches not being supported by
current kernels.
We have a reference audit implementation that I work to. We have just begun to
get the filesystem watch implementation upstream. It was pointed out that there
is some overlap between inotify and the audit system. So, we are trying to create
a common framework that both audit and inotify can clip into. Then when this gets
accepted upstream, Fedora will pick up the new kernel and all will be better.
This process may take a month.
-Steve
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
8:36 a.m.
On Thursday 28 July 2005 8:18 am, Steve G wrote:
>Tonight, a yum update picked up new versions of audit,
audit-libs, and
>audit-libs-devel. Are these the kinds of patches you're referring to?
Not really. The main thing about this round of updates is that it quietens
messages that are caused by delete file system watches not being supported
by current kernels.
We have a reference audit implementation that I work to. We have just begun
to get the filesystem watch implementation upstream. It was pointed out
that there is some overlap between inotify and the audit system. So, we are
trying to create a common framework that both audit and inotify can clip
into. Then when this gets accepted upstream, Fedora will pick up the new
kernel and all will be better. This process may take a month.
I need to learn more - I'm afraid you've gone over my head - but thanks. After
the cited round of updates, I got this in my overnight logwatch: is there
anything I need to get worried about?
--------------------- Selinux Audit Begin ------------------------
*** Denials ***
system_u system_u (dir): 22 times
system_u system_u (file): 34 times
system_u system_u (netif): 2 times
system_u system_u (netlink_audit_socket): 1 times
system_u system_u (netlink_route_socket): 1 times
system_u system_u (node): 2 times
system_u system_u (sock_file): 3 times
system_u system_u (tcp_socket): 5 times
system_u system_u (udp_socket): 10 times
system_u user_u (sock_file): 1 times
**Unmatched Entries** (Only first 10 out of 89 are printed)
The audit daemon is exiting.
audit: *NO* daemon at audit_pid=1920
audit(1122440737.973:10895603): arch=40000003 syscall=102 success=no
exit=-22 a0=b a1=bf909cc0 a2=80510f8 a3=0 items=0 pid=17997 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122440737.973:10895603): saddr=100000000000000000000000
audit(1122440737.973:10895603): nargs=6 a0=3 a1=bf90be1c a2=10 a3=0
a4=bf90dfb8 a5=c
audit(1122440738.074:10895623): SELinux: unrecognized netlink message
type=1009 for sclass=49
audit(1122440738.074:10895623): arch=40000003 syscall=102 success=no
exit=-22 a0=b a1=bf909ca0 a2=80510f8 a3=0 items=0 pid=17997 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122440738.074:10895623): saddr=100000000000000000000000
audit(1122440738.074:10895623): nargs=6 a0=3 a1=bf90bdfc a2=10 a3=0
a4=bf90df98 a5=c
Init complete, auditd 0.9.15 listening for events
---------------------- Selinux Audit End -------------------------
--------------------- Cron Begin ------------------------
**Unmatched Entries**
ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mrtg)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/sysstat)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mailman)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mrtg)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/sysstat)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mailman)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mrtg)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/sysstat)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mailman)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mrtg)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/sysstat)
ENTRYPOINT FAILED but SELinux in permissive mode, continuing
(/etc/cron.d/mailman)
---------------------- Cron End -------------------------
--
Claude Jones
Bluemont, VA, USA
6844
days inactive
6845
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
Claude Jones -
Steve G