From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: audit 1.7.4 released
Date: Tue, 27 May 2008 11:59:00 -0400
Message-ID: <1211903940.3079.16.camel@localhost.localdomain>
References: <200805191450.06153.sgrubb@redhat.com>
	<1211903431.6568.41.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1211903431.6568.41.camel@homeserver>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: LC Bruzenak <lenny@magitekltd.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tue, 2008-05-27 at 10:50 -0500, LC Bruzenak wrote:
> Steve,
> 
> I am testing 1.7.4 (with mls permissive policy):
> audit-viewer-0.2-2.fc9.x86_64
> audit-libs-python-1.7.4-1.fc9.x86_64
> system-config-audit-0.4.7-1.fc9.x86_64
> audit-1.7.4-1.fc9.x86_64
> audit-libs-devel-1.7.4-1.fc9.x86_64
> audit-debuginfo-1.7.3-1.fc9.x86_64
> audit-libs-1.7.4-1.fc9.x86_64
> audit-libs-1.7.4-1.fc9.i386
> 
> I moved all the old audit out of the way, so all records would be new,
> and see this after reboot:
> 
> [root@hugo ~]# aureport -h -i --summary
> 
> Host Summary Report
> ===========================
> total  host
> ===========================
> 223  ?
> 12  homeserver
> 8  127.0.0.1
> 6  0.0.0.0
> 
> The "?" entries are application audits - I am going to look, maybe they
> have an error on the way we are sending those in.
> 
> The ones I don't understand are the "0.0.0.0" entries. Here is an
> example of one of those:
> 
> [root@hugo ~]# ausearch -hn 0.0.0.0 -i --just-one
> ----
> type=SOCKADDR msg=audit(05/27/2008 10:30:22.163:13193) : saddr=inet
> host:0.0.0.0 serv:711 
> type=SYSCALL msg=audit(05/27/2008 10:30:22.163:13193) : arch=x86_64
> syscall=bind success=yes exit=0 a0=5 a1=7fff63dbb220 a2=10 a3=89ea70
> items=0 ppid=1 pid=2647 auid=unset uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295
> comm=rpc.rquotad exe=/usr/sbin/rpc.rquotad
> subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
> type=AVC msg=audit(05/27/2008 10:30:22.163:13193) : avc:  denied
> { name_bind } for  pid=2647 comm=rpc.rquotad src=711
> scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket 
> 
> Is the host "0.0.0.0" field here a bug?

Isn't this telling up that they are calling bind on any interface not a
specific address?

the const struct sockaddr *addr part of the bind(2) call is IN_ADDRANY
what whatever the semantics are...

-Eric