From mboxrd@z Thu Jan  1 00:00:00 1970
From: Loulwa Salem <loulwas@us.ibm.com>
Subject: Problem with audit
Date: Thu, 20 Apr 2006 18:06:37 -0500
Message-ID: <444813FD.9060507@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k3KN6lBh001537
	for <linux-audit@redhat.com>; Thu, 20 Apr 2006 19:06:47 -0400
Received: from e3.ny.us.ibm.com (e3.ny.us.ibm.com [32.97.182.143])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k3KN6jXJ021492
	for <linux-audit@redhat.com>; Thu, 20 Apr 2006 19:06:45 -0400
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236])
	by e3.ny.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k3KN6dZs027233
	for <linux-audit@redhat.com>; Thu, 20 Apr 2006 19:06:39 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215])
	by d01relay04.pok.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id
	k3KN6dpK236678
	for <linux-audit@redhat.com>; Thu, 20 Apr 2006 19:06:39 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1])
	by d01av01.pok.ibm.com (8.12.11/8.13.3) with ESMTP id k3KN6dic025511
	for <linux-audit@redhat.com>; Thu, 20 Apr 2006 19:06:39 -0400
Received: from [127.0.0.1] (IBM-AFD65BEC738.austin.ibm.com [9.41.46.61])
	by d01av01.pok.ibm.com (8.12.11/8.12.11) with ESMTP id k3KN6aJ4025354
	for <linux-audit@redhat.com>; Thu, 20 Apr 2006 19:06:39 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I am running lspp.17 kernel with audit-1.2.1 on an x86_64 system.
I noticed this behavior (has anyone encountered anything similar)

After a reboot, the first auditctl command that I try will not work, After that 
it works fine.

Example:

# auditctl -l
Error sending rule list request (Operation not permitted)
# auditctl -l
No rules
            -- Reboot --
# auditctl -a entry,always -S chmod
Error sending add rule request (Operation not permitted)
# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod

The problem is reproducible .. and it happens no matter what auditctl command 
you try at first (listing, adding watches, or adding rules .. etc)

- Loulwa