Re: audit 1.7.4 released

Steve, I am testing 1.7.4 (with mls permissive policy): audit-viewer-0.2-2.fc9.x86_64 audit-libs-python-1.7.4-1.fc9.x86_64 system-config-audit-0.4.7-1.fc9.x86_64 audit-1.7.4-1.fc9.x86_64 audit-libs-devel-1.7.4-1.fc9.x86_64 audit-debuginfo-1.7.3-1.fc9.x86_64 audit-libs-1.7.4-1.fc9.x86_64 audit-libs-1.7.4-1.fc9.i386 I moved all the old audit out of the way, so all records would be new, and see this after reboot: [root@hugo ~]# aureport -h -i --summary Host Summary Report =========================== total host =========================== 223 ? 12 homeserver 8 127.0.0.1 6 0.0.0.0 The "?" entries are application audits - I am going to look, maybe they have an error on the way we are sending those in. The ones I don't understand are the "0.0.0.0" entries. Here is an example of one of those: [root@hugo ~]# ausearch -hn 0.0.0.0 -i --just-one ---- type=SOCKADDR msg=audit(05/27/2008 10:30:22.163:13193) : saddr=inet host:0.0.0.0 serv:711 type=SYSCALL msg=audit(05/27/2008 10:30:22.163:13193) : arch=x86_64 syscall=bind success=yes exit=0 a0=5 a1=7fff63dbb220 a2=10 a3=89ea70 items=0 ppid=1 pid=2647 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295 comm=rpc.rquotad exe=/usr/sbin/rpc.rquotad subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(05/27/2008 10:30:22.163:13193) : avc: denied { name_bind } for pid=2647 comm=rpc.rquotad src=711 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket Is the host "0.0.0.0" field here a bug?