From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: finit_module
Date: Fri, 04 Apr 2014 08:43:34 -0400
Message-ID: <2949295.7qgFVbk0cj@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-60-103.rdu2.redhat.com [10.10.60.103])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s34ChYGb002378
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Fri, 4 Apr 2014 08:43:35 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

In checking a system with newish kernel, 3.13.7, I noticed that sometimes 
finit_module is producing PATH records. Why?


type=PATH msg=audit(04/04/2014 07:28:45.177:408) : item=1 name=(null) 
inode=21788 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:debugfs_t:s0 nametype=CREATE 
type=PATH msg=audit(04/04/2014 07:28:45.177:408) : item=0 name=(null) 
inode=165 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:debugfs_t:s0 nametype=PARENT 
type=SYSCALL msg=audit(04/04/2014 07:28:45.177:408) : arch=x86_64 
syscall=finit_module success=yes exit=0 a0=0x0 a1=0x41a396 a2=0x0 a3=0x0 
items=1348 ppid=1369 pid=1370 auid=unset uid=root gid=root euid=root suid=root 
fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=modprobe 
exe=/usr/bin/kmod subj=system_u:system_r:insmod_t:s0 key=module-load

Also, when it does this, it makes a whole lot of them:

type=PATH msg=audit(04/04/2014 07:28:45.177:408) : item=1347 name=(null) 
inode=22461 dev=00:06 mode=dir,755 ouid=root ogid=root rde
v=00:00 obj=system_u:object_r:debugfs_t:s0 nametype=CREATE 

Seriously, 1347 auxiliary records? Why?

-Steve