Reloading policy fills audit log with "selinux_audit_rule_match: stale rule"

[Sven Vermeulen <sven.vermeulen@siphos.be>]

Hi guys,

When I reload the SELinux policy on my system (semodule -R) or rebuild
and reload (semodule -B), for every action I do it generates a dozen or so
errors like the following:

#v+
Dec 30 10:25:24 test kernel: [  181.999527] type=1403 audit(1356859524.575:133): policy loaded auid=0 ses=1
Dec 30 10:25:26 test kernel: [  184.148180] type=1401 audit(1356859526.724:134): selinux_audit_rule_match: stale rule
Dec 30 10:25:26 test kernel: [  184.148180]
Dec 30 10:25:26 test kernel: [  184.148187] type=1401 audit(1356859526.724:135): selinux_audit_rule_match: stale rule
Dec 30 10:25:26 test kernel: [  184.148187]
Dec 30 10:25:26 test kernel: [  184.148191] type=1401 audit(1356859526.724:136): selinux_audit_rule_match: stale rule
Dec 30 10:25:26 test kernel: [  184.148191]
#v-

I am completely lost as to what this is about. Perhaps the audit subsystem
not realising that the SELinux policies have been reloaded? Is there a way
to reload the SELinux audit rules that I don't know about? I've grepped the
kernel sources for audit_rule_init but didn't find anything useful.

I did not have this with 3.6.* kernels (this is on a 3.7 kernel). One
change between the 3.6 and 3.7 kernels that I have is that I enabled
IMA/EVM, but I have the problem even when I disable IMA appraisal
(ima_appraise=off ima_audit=0).

Wkr,
	Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.