From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: audit 1.2.2 released Date: Tue, 23 May 2006 17:20:16 -0500 Message-ID: <44738AA0.50006@us.ibm.com> References: <200605121726.32952.sgrubb@redhat.com> <4469F585.6030108@hp.com> <200605161323.32162.sgrubb@redhat.com> <200605221331.54945.sgrubb@redhat.com> <4473374C.8030902@us.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4473374C.8030902@us.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Michael C Thompson Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Michael C Thompson wrote: > Steve Grubb wrote: >> On Tuesday 16 May 2006 13:23, Steve Grubb wrote: >>> AFAICT, there are 2 places where an access decision is made, >>> audit_netlink_ok in kernel/audit.c. And the other place is >>> selinux_nlmsg_lookup in security/selinux/nlmsgtab.c. I think you'd >>> want to >>> patch your kernel to printk its access decision results in both of >>> those >>> functions. That should tell us something about what's going on. >> >> Mike, >> >> Did you ever patch your kernel to get more info or did this problem go >> away in the latest kernel (lspp.26)? > > I have tested this on the 26 and 27 kernel and am still experiencing the > problem. I'm working on tracking it down now. This is definately not an SELinux issue. I don't know enough about the audit_reply structure to fully understand what is happening. This is what I know: socket_has_perm returns 0, and netlink_recvmsg does definitely get hit. The error is getting packaged up in the body of the netlink message, but I don't know where to begin looking for this, nor do I have the time to continue looking. If you have any possible fixes, I'll gladly test them, but currently, I'm at a loss for time and can't continue. Thanks, Mike