10:40 a.m.
I'm unable to login to current rawhide and the 2.6.12-rc6 kernel, with
auditd enabled.
I think these audit.log messages are the cause:
type=KERNEL msg=audit(1118503063.368:248607): SELinux: unrecognized
netlink message type=1100 for sclass=49
type=KERNEL msg=audit(1118503063.368:248607): syscall=102 arch=40000003
success=no exit=-22 a0=b a1=bfc3ab10 a2=7150f8 a3=66 items=0
pid=1916 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm=login exe=/bin/login
No diagnostics are displayed on the console though.
Can auditd translate Unix epochs into human readable timestamps?
- James
--
James Morris
<jmorris(a)redhat.com>
11:52 a.m.
On Saturday 11 June 2005 11:40, James Morris wrote:
I'm unable to login to current rawhide and the 2.6.12-rc6 kernel,
with
auditd enabled.
I think these audit.log messages are the cause:
type=KERNEL msg=audit(1118503063.368:248607): SELinux: unrecognized
netlink message type=1100 for sclass=49
type=KERNEL msg=audit(1118503063.368:248607): syscall=102 arch=40000003
success=no exit=-22 a0=b a1=bfc3ab10 a2=7150f8 a3=66 items=0
pid=1916 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm=login exe=/bin/login
This message appears to come from SE Linux. The KERNEL message type should not
be used for that kind of message. It needs to have its own type so that it
doesn't break the parsers. FWIW, that message is AUDIT_USER_AUTH which is
being sent by pam. It requires netlink relay permissions.
No diagnostics are displayed on the console though.
That would be application specific.
Can auditd translate Unix epochs into human readable timestamps?
auditd just writes to disk. ausearch >= 0.9.1 should be able to translate
everything using the -i parameter. To see only the above message, use:
ausearch -i -a 248607
-Steve
12:51 a.m.
On Sat, 11 Jun 2005, Steve Grubb wrote:
On Saturday 11 June 2005 11:40, James Morris wrote:
> I'm unable to login to current rawhide and the 2.6.12-rc6 kernel, with
> auditd enabled.
>
> I think these audit.log messages are the cause:
>
> type=KERNEL msg=audit(1118503063.368:248607): SELinux: unrecognized
> netlink message type=1100 for sclass=49
> type=KERNEL msg=audit(1118503063.368:248607): syscall=102 arch=40000003
> success=no exit=-22 a0=b a1=bfc3ab10 a2=7150f8 a3=66 items=0
> pid=1916 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 comm=login exe=/bin/login
This message appears to come from SE Linux. The KERNEL message type should not
be used for that kind of message. It needs to have its own type so that it
doesn't break the parsers. FWIW, that message is AUDIT_USER_AUTH which is
being sent by pam. It requires netlink relay permissions.
If you add new audit messages, you need to update the SELinux kernel
component which parses netlink messages and synchronize things so that
Fedora doesn't suddenly break. As is currently the case.
- James
--
James Morris
<jmorris(a)redhat.com>
2:45 a.m.
On Mon, 2005-06-13 at 01:51 -0400, James Morris wrote:
If you add new audit messages, you need to update the SELinux kernel
component which parses netlink messages and synchronize things so that
Fedora doesn't suddenly break. As is currently the case.
You said 2.6.12-rc6 kernel. Did you mean that you aren't using a Fedora
kernel? You need to use either a Fedora kernel or a 2.6-mm kernel. The
patches are going to Linus as soon as 2.6.12 is released.
--
dwmw2
10:32 a.m.
On Mon, 13 Jun 2005, David Woodhouse wrote:
On Mon, 2005-06-13 at 01:51 -0400, James Morris wrote:
> If you add new audit messages, you need to update the SELinux kernel
> component which parses netlink messages and synchronize things so that
> Fedora doesn't suddenly break. As is currently the case.
You said 2.6.12-rc6 kernel. Did you mean that you aren't using a Fedora
kernel? You need to use either a Fedora kernel or a 2.6-mm kernel. The
patches are going to Linus as soon as 2.6.12 is released.
I wasn't able to login with the latest Fedora kernel either, same
symptoms (although I didn't check the logs: this problem combined with a
broken init system in rawhide meant a re-install).
- James
--
James Morris
<jmorris(a)redhat.com>
7132
days inactive
7134
days old
linux-audit@lists.linux-audit.osci.io
4 comments
3 participants
participants (3)
-
David Woodhouse -
James Morris -
Steve Grubb