Hi Steve,
We are starting to get problem reports with this patch. It appears
that
nothing sets ctime when the event is started via an avc. The patch below
takes a stab at fixing this. Does it look correct?
I'm seeing this on my system running the .12 kernel and the 1.1.4 tools.
I'm seeing more than just the zero time and a bunch of SOCKETCALL
messages. I also get a message of type UNKNOWN, more AVCs with the
same serial number and then the serial number increments and I get
a bunch more stuff. See below. What's type 1310?
-- ljk
type=USER_START msg=audit(1142413321.732:665): user pid=6451 uid=0
auid=0 msg='PAM: session open acct=root : exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1142413321.732:666): user pid=6451 uid=0 auid=0
msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=AVC msg=audit(0.000:667): avc: denied { read } for pid=6764
comm="perl" name="resolv.conf" dev=dm-0 ino=4523009
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=UNKNOWN[1310] msg=audit(0.000:667): success=yes exit=3 items=0
pid=6764 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="perl" exe="/usr/bin/perl"
subj=system_u:system_r:logwatch_t:s0-s15:c0.c255
type=SOCKADDR msg=audit(0.000:667):
saddr=01002F7661722F72756E2F6E7363642F736F636B6574000000000000000029895600B4F75F00E4C6750948E18EBF3F7B500008C075098070830910A5770929895600F0AB8709F0AB870970688709BD785600A8CF8409B0CF840908000000B4F75F0058B179097300000048E08EBF
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=3 a1=bf8edf6e a2=6e
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=1 a1=1 a2=0
type=SOCKADDR msg=audit(0.000:667):
saddr=01002F7661722F72756E2F6E7363642F736F636B6574006E5B0000000000000000002051AF0010000000201686091000000008C0750926A47709180000002C51AF00F43FAF002051AF002816860988DE8EBF6980A300FF7F0000281686090500000058DE8EBF10EA5C0020000000
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=3 a1=bf8edde6 a2=6e
type=SOCKETCALL msg=audit(0.000:667): nargs=3 a0=1 a1=1 a2=0
(lots of stuff deleted..then more things with the same serial number)
type=AVC msg=audit(0.000:667): avc: denied { write } for pid=6764
comm="perl" laddr=16.116.96.237 lport=32773 faddr=16.64.64.51 fport=53
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255
tcontext=system_u:system_r:logwatch_t:s0-s15:c0.c255 tclass=udp_socket
type=AVC msg=audit(0.000:667): avc: denied { udp_send } for pid=6764
comm="perl" saddr=16.116.96.237 src=32773 daddr=16.64.64.51 dest=53
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255
tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif
type=AVC msg=audit(0.000:667): avc: denied { udp_send } for pid=6764
comm="perl" saddr=16.116.96.237 src=32773 daddr=16.64.64.51 dest=53
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255
tcontext=system_u:object_r:node_t:s0-s15:c0.c255 tclass=node
type=AVC msg=audit(0.000:667): avc: denied { send_msg } for pid=6764
comm="perl" saddr=16.116.96.237 src=32773 daddr=16.64.64.51 dest=53
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
type=AVC msg=audit(0.000:667): avc: denied { sendto } for pid=6764
comm="perl" scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255
tcontext=system_u:object_r:unlabeled_t:s15:c0.c255 tclass=association
type=UNKNOWN[1310] msg=audit(0.000:667): success=yes exit=45 items=0
pid=6764 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="perl" exe="/usr/bin/perl"
subj=system_u:system_r:logwatch_t:s0-s15:c0.c255
type=SOCKETCALL msg=audit(0.000:667): nargs=4 a0=3 a1=bf8ed730 a2=2d a3=0
type=AVC msg=audit(0.000:668): avc: denied { udp_recv } for pid=6443
comm="floaters" saddr=16.64.64.51 src=53 daddr=16.116.96.237 dest=32773
netif=eth0 scontext=system_u:system_r:logwatch_t:s0-s15:c0.c255
tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif