Bug 200116 - Unmatched audit messages
Summary: Unmatched audit messages
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: logwatch
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Marcela Mašláňová
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-25 15:41 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-08-15 11:18:18 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Orion Poplawski 2006-07-25 15:41:06 UTC
Description of problem:

Get the following after a reboot:

 --------------------- Selinux Audit Begin ------------------------ 

 **Unmatched Entries** 
  audit(1153731696.924:2): enforcing=1 old_enforcing=0 auid=4294967295
  audit(1153731697.852:3): policy loaded auid=4294967295

also have seen this at times:

  audit(1153774712.599:22): user pid=1805 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  0 AV entries and 0/512
buckets used, longest chain length 0

The first two should definitely be ignored, and I imagine the second should be
as well.

Version-Release number of selected component (if applicable):
logwatch-7.2.1-1.fc5

How reproducible:
every boot

Comment 1 Marcela Mašláňová 2006-08-14 14:25:21 UTC
Hello,
could you send me the part of /var/log/messages, which speaks about SElinux? I
need to know the source for logwatch.

Comment 2 Orion Poplawski 2006-08-14 16:54:01 UTC
Aug 14 06:51:41 lynx kernel: audit(1155538246.660:2): enforcing=1
old_enforcing=0 auid=4294967295
Aug 14 06:51:41 lynx kernel: audit(1155538247.000:3): policy loaded auid=4294967295
Aug 13 18:18:50 lynx kernel: audit(1155514730.555:389): user pid=2081 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  8 AV entries
and 8/512 buckets used, longest chain length 1


Comment 3 Daniel Walsh 2006-08-15 11:37:25 UTC
I believe these are standard audit messages and are not SELinux reporting any
problems.


Comment 4 Steve Grubb 2006-08-15 13:10:04 UTC
Yes, these are standard audit messages and logwatch needs to be updated to
ignore them.


Note You need to log in before you can comment on or make changes to this bug.