Re: audit 1.2.2 released
On Tuesday 16 May 2006 10:53, Michael C Thompson wrote:
I've "enchanced" this transcript with strace output
(selective) and the
return code of the selinux_socket_recvmsg call.
> # auditctl -l
sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1
recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\322\7\0\0\377\377\377\377\20\0"...,
8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
groups=00000000}, [12]) = 36
-> selinux_sock_recvmsg returns 0
recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\322\7\0\0\377\377\377\377\20\0"...,
8476, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 36
-> selinux_sock_recvmsg returns 0
This return code says -EPERM.
> # auditctl -l
sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1
recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\326\7\0\0\0\0\0\0\20\0\0\0\365"...,
8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
groups=00000000}, [12]) = 36
-> selinux_sock_recvmsg returns 0
This return code shows the kernel has data.
I do not know enough of about the auditctl code, but to me this
looks
like auditctl is failing to issue the 3rd recvfrom syscall.
When it gets the answer, EPERM, there's no need to do anything else cause the
kernel rejected the request.
-Steve