While looking through some audit events in the audit-viewer I saw what I
thought might be a display error (see below "comm="), however when I
look at the event using ausearch I see the same thing:
# ausearch -ts recent -i -a 50457
----
type=SOCKADDR msg=audit(07/31/2008 15:37:43.602:50457) : saddr=inet
host:127.0.0.1 serv:16001
type=SYSCALL msg=audit(07/31/2008 15:37:43.602:50457) : arch=x86_64
syscall=connect success=no exit=-111(Connection refused) a0=10
a1=2f96d30 a2=10 a3=7fff13ee75dc items=0 ppid=22794 pid=23014 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts3 ses=818 comm=/usr/share/audi exe=/usr/bin/python
subj=root:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(07/31/2008 15:37:43.602:50457) : avc: denied
{ recvfrom } for pid=23014 comm=/usr/share/audi saddr=127.0.0.1
src=16001 daddr=127.0.0.1 dest=58356 netif=lo
scontext=root:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=root:auditadm_r:auditadm_t:s15:c0.c1023 tclass=association
The
exe=/usr/bin/python.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com