auditd hanging the system...

Running the Fedora devel tree as of a few days ago, and a 2.6.16-rc5-mm3 kernel. Several times today, my laptop has seized up, with the 'disk activity' light on solid. After 30 to 120 seconds, it returns. Some poking around after the last hit finds this: # ls -l /var/log/audit/ total 25423 -rw-r----- 1 root root 1799972 Mar 14 17:11 audit.log -r--r----- 1 root root 5242905 Mar 14 17:06 audit.log.1 -r--r----- 1 root root 5242919 Mar 14 17:05 audit.log.2 -r--r----- 1 root root 5242943 Mar 14 15:11 audit.log.3 -r--r----- 1 root root 8388705 Oct 3 14:59 audit.log.4 Wow, something happened at 17:06 or so that caused it to roll through 5 meg of audit in a minute. So let's take a look at it: # ausearch -if /var/log/audit/audit.log.1 | uniq -c | more 1 ---- 1 time->Wed Dec 31 19:00:00 1969 1526 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 2 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0 1 type=SYSCALL_PARTIAL msg=audit(0.000:272): success=yes exit=14 items=0 pid=9616 auid=967 uid=967 gid=967 euid=967 suid=967 fsuid=967 egid=967 sgid=967 fsgid=967 tty=(none) comm="gkrellm" exe="/usr/bin/gkrellm" subj=user_u:user_r:user_t:s0 1 type=AVC msg=audit(0.000:272): avc: denied { create } for pid=9616 comm="gkrellm" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=udp_socket 1 ---- 1 time->Wed Dec 31 19:00:00 1969 94 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 190 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 294 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 157 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 205 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 149 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 39 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 147 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 189 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 248 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0 <here we skip several hundred more of these> 1 ---- 1 time->Wed Dec 31 19:00:00 1969 296 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 ---- 1 time->Wed Dec 31 19:00:00 1969 1 type=AVC_PATH msg=audit(0.000:272): path="socket:[782960]" 1 type=SYSCALL_PARTIAL msg=audit(0.000:272): success=yes exit=0 items=0 pid=9616 auid=967 uid=967 gid=967 euid=967 suid=967 fsuid=967 egid=967 sgid=967 fsgid=967 tty=(none) comm="gkrellm" exe="/usr/bin/gkrellm" subj=user_u:user_r:user_t:s0 1 type=AVC msg=audit(0.000:272): avc: denied { ioctl } for pid=9616 comm="gkrellm" name="[782960]" dev=sockfs ino=782960 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=udp_socket 1 ---- 1 time->Wed Dec 31 19:00:00 1969 42 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=b a1=1 a2=7 a3=bfb7a408 a4=4 1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=b a1=1 a2=8 a3=bfb7a408 a4=4 198 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=1 a1=1 a2=0 1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=7 a1=bfb79c90 a2=27 1 type=SOCKADDR msg=audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337313131372D373837303635 1 type=SOCKETCALL msg=audit(0.000:267): nargs=2 a0=7 a1=4 194 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=7 a3=bfb7a468 a4=4 1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=8 a3=bfb7a468 a4=4 3 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=7 a3=bfb7a408 a4=4 1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=8 a3=bfb7a408 a4=4 1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=1 a1=1 a2=0 1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=8 a1=bfb79c90 a2=27 1 type=SOCKADDR msg=audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337313133322D383030303731 1 type=SOCKETCALL msg=audit(0.000:267): nargs=2 a0=8 a1=4 852 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0 Obviously looks like something is getting seriously stuck and replicating messages. Plus, it looks like there's some basic info missing on the 'type=SOCKETCALL', like the issuing process ID, etc....