Bug 200116

Summary: Unmatched audit messages
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: logwatchAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-15 11:18:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2006-07-25 15:41:06 UTC 
Description of problem:

Get the following after a reboot:

 --------------------- Selinux Audit Begin ------------------------ 

 **Unmatched Entries** 
  audit(1153731696.924:2): enforcing=1 old_enforcing=0 auid=4294967295
  audit(1153731697.852:3): policy loaded auid=4294967295

also have seen this at times:

  audit(1153774712.599:22): user pid=1805 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  0 AV entries and 0/512
buckets used, longest chain length 0

The first two should definitely be ignored, and I imagine the second should be
as well.

Version-Release number of selected component (if applicable):
logwatch-7.2.1-1.fc5

How reproducible:
every boot
Comment 1 Marcela Mašláňová 2006-08-14 14:25:21 UTC 
Hello,
could you send me the part of /var/log/messages, which speaks about SElinux? I
need to know the source for logwatch.
Comment 2 Orion Poplawski 2006-08-14 16:54:01 UTC 
Aug 14 06:51:41 lynx kernel: audit(1155538246.660:2): enforcing=1
old_enforcing=0 auid=4294967295
Aug 14 06:51:41 lynx kernel: audit(1155538247.000:3): policy loaded auid=4294967295
Aug 13 18:18:50 lynx kernel: audit(1155514730.555:389): user pid=2081 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  8 AV entries
and 8/512 buckets used, longest chain length 1
Comment 3 Daniel Walsh 2006-08-15 11:37:25 UTC 
I believe these are standard audit messages and are not SELinux reporting any
problems.
Comment 4 Steve Grubb 2006-08-15 13:10:04 UTC 
Yes, these are standard audit messages and logwatch needs to be updated to
ignore them.