Bug 167852
Summary: | audit report about selinux | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Eric Tanguy <eric.tanguy> | ||||
Component: | kernel | Assignee: | Dave Jones <davej> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4 | CC: | pfrields, robatino, sgrubb, wtogami | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-03-05 00:03:59 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Eric Tanguy
2005-09-08 20:58:21 UTC
THis is caused because the FC4 kernel does not include the auditd patches. ok but when this patch will be included in FC4 kernel ? I still get error messages associated with audit after applying all updates from Sep. 22, including the 1456 kernel. I see the following in /var/log/messages at boot time: Sep 23 04:59:34 localhost nscd: 1882 Failed opening connection to the audit subsystem and the following at shutdown/reboot: Sep 22 19:48:06 localhost kernel: audit(:0): major=252 name_count=0: freeing multiple contexts (1) Sep 22 19:48:06 localhost kernel: audit(:0): major=113 name_count=0: freeing multiple contexts (2) Sep 22 19:48:21 localhost auditd[1837]: The audit daemon is exiting. Sep 22 19:48:21 localhost kernel: audit(1127432901.337:51): audit_pid=0 old=1837 by auid=4294967295 Sep 22 19:48:21 localhost kernel: audit(1127432901.507:52): SELinux: unrecognized netlink message type=1009 for sclass=49 Sep 22 19:48:21 localhost kernel: audit(1127432901.507:52): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfa6d5e0 a2=80510f8 a3=bfa73a08 items=0 pid=5564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Sep 22 19:48:21 localhost kernel: audit(1127432901.507:52): saddr=100000000000000000000000 Sep 22 19:48:21 localhost kernel: audit(1127432901.507:52): nargs=6 a0=3 a1=bfa7186c a2=10 a3=0 a4=bfa73a08 a5=c Sep 22 19:48:21 localhost kernel: audit(1127432901.608:53): SELinux: unrecognized netlink message type=1009 for sclass=49 Sep 22 19:48:21 localhost kernel: audit(1127432901.608:53): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfa6d5d0 a2=80510f8 a3=bfa739f8 items=0 pid=5564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Sep 22 19:48:21 localhost kernel: audit(1127432901.608:53): saddr=100000000000000000000000 Sep 22 19:48:21 localhost kernel: audit(1127432901.608:53): nargs=6 a0=3 a1=bfa7185c a2=10 a3=0 a4=bfa739f8 a5=c Regarding comment #3, nscd error is a different bug from what was reported here. Basically, nscd wanted to report an avc message and couldn't - so its not related to the kernel. The message about freeing multiple contexts is also a separate bug that needs to be looked at independantly from the netlink issue above. Do you mind opening these bug reports? Thanks. Should I report the nscd bug under glibc or audit? And are all the messages following the 2 multiple context lines part of the same bug, and which component(s) should these bugs be reported under? The nscd problem should be under glibc - this itself may indicate 2 bugs: one for the avc that was going to be reported, and the failure reporting the avc. Only the messages regarding freeing multiple contexts are part of the second bug which should be filed against the kernel. Everything else is related to a small patch that should be applied to the kernel so that SE Linux can make decisions about file system audit commands. Thanks. Filed under bug #169148 and bug #169150, resp. Any idea when the kernel will be patched? 2.6.13? Created attachment 119227 [details]
patch that quieten se linux
This patch has been tested. It lets SE Linux understand the file system audit
commands so that it doesn't complain. Please apply.
If i understand well this patch has to be applied to selinux and a simple user (like me) has to wait for a selinux update ? Mass update to all FC4 bugs: An update has been released (2.6.13-1.1526_FC4) which rebases to a new upstream kernel (2.6.13.2). As there were ~3500 changes upstream between this and the previous kernel, it's possible your bug has been fixed already. Please retest with this update, and update this bug if necessary. Thanks. I use kernel 2.6.13-1.1526_FC4 and the problem still exists. fixed in cvs, will be in the next update. After updating to kernel-2.6.13-1.1532_FC4, I still get one error at shutdown/reboot: Oct 20 19:09:06 localhost kernel: audit(1129849746.705:48): audit_pid=0 old=1749 by auid=4294967295 This is not an error. It is saying that the audit daemon pid is now 0 - which is normal when the audit daemon de-registers with the kernel. If that's all you are seeing, this bug is fixed and can be closed. Thanks for you patience. The only possibly abnormal thing is that this message, as with the page of messages that used to follow it, is not only in the system log, but also displayed on the console at reboot/shutdown. Is this significant enough to qualify? No, I don't think so. For better or worse, this is the way it should look on a normal shutdown. On reboot/shutdown, what appears on the console is something like Stopping audit: audit(1129849746.705:48): audit_pid=0 old=1749 by auid=4294967295 and since all the other lines are of the form "Stopping <service>:", the first part is normal, but I suspect the rest is odd-looking enough that it will generate false bug reports. *** Bug 172050 has been marked as a duplicate of this bug. *** I still see the netlink errors with kernel kernel-2.6.14-1.1632_FC5. Steve, that patch is definitly applied in the current errata kernels, so this must be the result of something else. any ideas ? Dave, I just checked build 1639. The patch is not there. "grep AUDIT_WATCH *" produces no hits from the source directory or security/selinux kernel dir. 2.6.14-1.1637_FC4 has been released as an update for FC4. Please retest with this update, as a large amount of code has been changed in this release, which may have fixed your problem. Thank you. This is a mass-update to all currently open kernel bugs. A new kernel update has been released (Version: 2.6.15-1.1830_FC4) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO_REPORTER state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. Thank you. |