On 07/18/2015 09:11 PM, Joe Zeff wrote: > On 07/18/2015 08:02 PM, jd1008 wrote: >> egid=0 sgid=0 fsgid=0 ses=37 tty=(none) comm=sa1 exe=/usr/bin/sh >> subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 > > Right there's you're answer: /usr/bin/sh, AKA bash. Well, who, or more exactly, what is forking a bash script to read /root ?