From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Bill O'Donnell" Subject: Re: auditd shutdown issue Date: Mon, 7 May 2007 10:56:55 -0500 Message-ID: <20070507155655.GA18147@sgi.com> References: <20070507151806.GA17862@sgi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l47FshHr001499 for ; Mon, 7 May 2007 11:54:43 -0400 Received: from relay.sgi.com (IDENT:U2FsdGVkX1/lU+Kw6zgmKyZPAJNY9w+uAavNgtWvdwY@netops-testserver-3-out.sgi.com [192.48.171.28]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l47FsewZ002486 for ; Mon, 7 May 2007 11:54:40 -0400 Received: from estes.americas.sgi.com (estes.americas.sgi.com [128.162.236.10]) by netops-testserver-3.corp.sgi.com (Postfix) with ESMTP id B6F0E908C7 for ; Mon, 7 May 2007 08:54:39 -0700 (PDT) Received: from lnx-billodo.americas.sgi.com (lnx-billodo.americas.sgi.com [128.162.232.245]) by estes.americas.sgi.com (Postfix) with ESMTP id 06EAE70001DB for ; Mon, 7 May 2007 10:54:39 -0500 (CDT) Content-Disposition: inline In-Reply-To: <20070507151806.GA17862@sgi.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com whoops, forgot the rest of the output: --------------- Stopping yum-updatesd: [ OK ] Stopping anacron: [ OK ] Stopping atd: [ OK ] Stopping cups: [ OK ] Stopping hpiod: [ OK ] Stopping hpssd: [ OK ] Shutting down xfs: [ OK ] Shutting down console mouse services: [ OK ] Stopping sshd: [ OK ] Shutting down sm-client: [ OK ] Shutting down sendmail: [ OK ] /etc/rc0.d/K50esp: line 109: [: localhost: binary operator expected Stopping acpi daemon: [ OK ] Stopping crond: [ OK ] Shutting down RPC idmapd: [ OK ] Stopping autofs: Stopping automount: [ OK ] [ OK ] Stopping system message bus: [ OK ] Stopping NFS statd: [ OK ] Stopping mcstransd: [ OK ] Stopping portmap: [ OK ] Stopping auditd:audit(1178276231.766:704): avc: denied { write } for pid=2911 comm="auditd" name="log" dev=tmpfs ino=10195 scontext=system_u:system_r:auditd_ t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file audit(1178276231.766:705): audit_pid=0 old=ystem_r:klogd_t:s0 key=(null) <5>audit("log" dev=tmpfs ino==(>audit(1178276231.850:1364): avc: deniite } for pid=3501 comm="klogd" name="ltmpfs ino=10195 scontext=system_u:system_t:s0 tcon text=system_u:object_r:devicelass=sock_file <5>audit(1178276231.891:rch=c000003e syscall=42 success=no exit1 a1=55555575b960 a2=a a3=7fff7d41b1f3 ppid=1 pid=3501 auid=4294967295 uid=0 gi=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 e) comm="klogd" exe="/sbin/klogd" subj=:system_r:klogd_t:s 0 key=(null) <5>audi6231.963:4203): avc: denied { write }d=3501 comm="klogd" name="log" dev =tmpf195 scontext=system_u:system_r:klogd_t:sxt=system_u:object_r:device_t:s0 tc lass=e <5>audit(1178276232.004:5235): arch= syscall=42 success=no exit=-13 a0=1 a15b960 a2=a a3=7fff7d41b1f3 items=0 ppid501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 egid=0 sgid=0 fsgid=0 tty=(none) cgd" exe="/sbin/klogd" subj=system_u:sysogd_t:s 0 key=(null) <5>audit(11782762342): avc: denied { write } for pid=35"klogd" name="log" dev =tmpfs ino=10195 =system_u:system_r:klogd_t:s0 tcontext=sobject_r:device_t:s0 tc lass=sock_file (1178276232.117:8074): arch=c000003e syssuccess=no exit=-13 a0=1 a1=55555575b963 =7fff7d41b1f3 items=0 ppid=1 pid=3501 4967295 uid=0 gid=0 euid=0 suid=0 fsuid= s gid=0 fsgid=0 tty=(none) comm="klogd" in/klogd" subj=system_u:system_r:klogd_=(n ull) <5>audit(1178276232.179:9623): nied { write } for pid=3501 comm="klogd41b1f3 i tems=0 ppid=1 pid=3501 auid=42967295 uid=0 gid=0 euid=0 suid=0 fsuid=0gid=0 sgid =0 fsgid=0 tty=(none) comm="kgd" exe="/sbin/klogd" subj=system_u:sysm_r:klogd_t: s0 key=(null) <5>audit(11786232.251:11424): avc: denied { write }or pid=3501 comm="klogd" n ame="log" detmpfs ino=10195 scontext=system_u:syster:klogd_t:s0 tcontext=system_ u:object_r:vice_t:s0 tclass=sock_file <5>audit(18276232.302:12709): arch=c000003e syscall2 success=no exit=-13 a0=1 a1 . .