From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: audit 1.2.2 released Date: Tue, 16 May 2006 15:38:20 -0500 Message-ID: <446A383C.2090902@us.ibm.com> References: <200605121726.32952.sgrubb@redhat.com> <200605161134.29407.sgrubb@redhat.com> <4469F585.6030108@hp.com> <200605161323.32162.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200605161323.32162.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: Linux Audit List-Id: linux-audit@redhat.com Steve Grubb wrote: > On Tuesday 16 May 2006 11:53, Linda Knippers wrote: >> His transcript was when running in permissive mode so won't you only get >> the avc deny once? > > If its in permissive, you shouldn't get any failure that results in EPERM from > SE Linux. But on second look, this AVC has a success=yes, so maybe not the > smoking gun. If there was a corresponding AVC with success=no, then that > would be notable. > > AFAICT, there are 2 places where an access decision is made, audit_netlink_ok > in kernel/audit.c. And the other place is selinux_nlmsg_lookup in > security/selinux/nlmsgtab.c. I think you'd want to patch your kernel to > printk its access decision results in both of those functions. That should > tell us something about what's going on. > > -Steve Interesting factoid here for you Steve: I just compiled auditctl from scratch, and the newly compiled binary got the "Error sending rule list request" thing, even though I had been using the /sbin/auditctl -l functionality for a long while prior. Does this mean anything to you? or at least help narrow the search? Mike