From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditctl question
Date: Thu, 3 Aug 2006 17:06:48 -0400
Message-ID: <200608031706.48393.sgrubb@redhat.com>
References: <20060731171437.GA447@clif.cflynt.com>
	<20060803151814.GC5964@w-m-p.com>
	<17B584B5C0638745ADF6002331331FDFA7D6F1@aplesliberty.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <17B584B5C0638745ADF6002331331FDFA7D6F1@aplesliberty.dom1.jhuapl.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Williams, P. Lane" <Lane.Williams@jhuapl.edu>
List-Id: linux-audit@redhat.com

On Thursday 03 August 2006 16:02, Williams, P. Lane wrote:
> I also received the same error with the other kernel. =C2=A0I did not b=
uild the
> SE-Linux stuff into the kernel, should I have?

I think the kernel headers are your problem. I don't think I'd replace th=
at.=20
And you do not have to have SE Linux enabled since this is a define from =
the=20
audit kernel headers.  That said, I don't think you need to rebuild the u=
ser=20
space package.=20

The problem you are seeing would be a kernel bug most likely. It is what=20
evaluates the rules and decides if it needs to output an event. So, with =
the=20
new kernel and auditctl from Suse, do you see the problem?

Thanks,
-Steve