search for: 40000003

Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this? TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>

...SNMP support to get information about its perfomance through snmp client. I set "snmp_port 3401" in squid.conf SELinux is in enforcing state with targeted policy. But squid daemon doesn't start. There are some messages in audit.log like type=SYSCALL msg=audit(1176946812.492:244): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf880060 a2=81109f0 a3=bf88007c items=0 ppid=15684 pid=15705 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0 key=(null) Note that squid ca...

....493:10819): avc: denied { search } for pid=9073 comm="deliver" name="tmp" dev=sda3 ino=786433 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=jukebox.alleroedderne.adsl.dk type=SYSCALL msg=audit(1231439791.493:10819): arch=40000003 syscall=195 success=no exit=-2 a0=96e0aa0 a1=bfc21120 a2=4f5ff4 a3=bfc21120 items=0 ppid=9072 pid=9073 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver" exe="/usr/libexec/dovecot/deliver" subj=system_u:s...

...type=AVC msg=audit(1238765234.301:1752): avc: denied { execute } for pid=20177 comm="procmail" name="spamc" dev=hda1 ino=936505 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1238765234.301:1752): arch=40000003 syscall=11 success=no exit=-13 a0=95c0d90 a1=95c0020 a2=95c3cf0 a3=0 items=0 ppid=20176 pid=20177 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=12 fs gid=500 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:...

...t Messages host=trailrunner type=AVC msg=audit(1241041651.976:33): avc: denied { create } for pid=3884 comm="dovecot" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=socket host=trailrunner type=SYSCALL msg=audit(1241041651.976:33): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070 a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=...

...s/viewtopic.php?t=21040 type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for pid=2646 comm="zebra" name="zebra.conf.CxNsyz" scontext=root:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1 comm="zebra" exe="/usr/sbin/zebra" subj=root:system_r:zebra_t:s0 key=(null) ~]# ls -Z /etc/quagga/ -rw-...

...t=dell2400.homelan type=AVC msg=audit(1239885107.4:18): avc: denied { getsched } for pid=2970 comm="nm-system-setti" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process host=dell2400.homelan type=SYSCALL msg=audit(1239885107.4:18): arch=40000003 syscall=155 success=yes exit=0 a0=b9a a1=b7f0690c a2=95fff4 a3=b7f06700 items=0 ppid=1 pid=2970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:syst...

I want to put the document root for an application on a separate paritition that has more space. When I try to configure this I can't access the files in the new location. I've got the SELinux attributes set on the directory and its files, so I'm thinking it's something about the parent path that SELinux doesn't like, but I don't know where that's handled. My

...el: audit(1130333415.760:21310): audit_pid=0 old=1796 by auid=4294967 295 Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): SELinux: unrecognized netlink messa ge type=1009 for sclass=49 Oct 26 09:30:15 poseidon kernel: Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): arch=40000003 syscall=102 success=ye s exit=16 a0=b a1=bfc8d790 a2=80510f8 a3=bfc93bb8 items=0 pid=18765 auid=4294967295 uid=0 gid=0 eu id=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): saddr=1000000000...

...omain.com type=AVC msg=audit(1534872386.726:9642): avc: denied { sys_ptrace } for pid=8458 comm="sudo" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): arch=40000003 syscall=3 success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null) Tha...

...file: type=AVC msg=audit(1200895451.310:1231): avc: denied { rename } for pid=24854 comm="smbd" name="smbd.log" dev=dm-0 ino=14254108 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:samba_log_t:s0 tclass=file type=SYSCALL msg=audit(1200895451.310:1231): arch=40000003 syscall=38 success=no exit=-13 a0=6155e0 a1=bfb8bf08 a2=60da4c a3=bfb8bf08 items=0 ppid=24848 pid=24854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null) audit2allow suggests I...

Everyone, I recently had a disc drive failure on a centos 5.8 internal mail server. I replaced the drive and installed centos 6.3. I had selinux turned off on the 5.8 machine, and with the upgrade to 6.3 decided to leave selinux active with the hopes I had learned enough to be able to use it. I have a couple of perl scripts that are activated by email that prints the contents of the mail

...669.186:14): avc: denied { write } for pid=2898 comm="mount" name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:samba_share_t:s0 tclass=file host=server-01 type=SYSCALL msg=audit(1215943669.186:14): arch=40000003 syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0 a3=8002 items=0 ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)

...which - * means that they don''t recognise that, and tries to use the page - * anyway. We therefore have to fake up just enough to keep windows happy. + * We don''t yet make use of the APIC assist page but by setting + * the CPUID3A_MSR_APIC_ACCESS bit in CPUID leaf 40000003 we are duty + * bound to support the MSR. We therefore do just enough to keep windows + * happy. * * See http://msdn.microsoft.com/en-us/library/ff538657%28VS.85%29.aspx for * details of how Windows uses the page. @@ -387,9 +387,9 @@ out: return HVM_HCALL_completed;...

...239664501.977:9052044): avc: denied { read write } for pid=18901 comm="sendmail" name="__db.000" dev=loop0 ino=901554 scontext=user_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=root:object_r:rpm_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1239664501.977:9052044): arch=40000003 syscall=11 success=yes exit=0 a0=5e2237b8 a1=5e223584 a2=5e2439bc a3=8 items=0 ppid=18880 pid=18901 auid=517 uid=517 gid=517 euid=517 suid=517 fsuid=517 egid=517 sgid=517 fsgid=517 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=user_u:system_r:system_mail_t:s0-...

...} for pid=7313 comm="ld-linux.so.2" path="/usr/lib/libGL.so.1.2.#prelink#.4GxqM1" dev=sda2 ino=1733603 scontext=unconfined_u:system_r:prelink_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file node=desk.mcguffeyfamily.net type=SYSCALL msg=audit(1250728981.756:551): arch=40000003 syscall=125 success=no exit=-13 a0=bd0000 a1=6a000 a2=5 a3=bf974f60 items=0 ppid=7297 pid=7313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=84 comm="ld-linux.so.2" exe="/lib/ld-2.9.so" subj=unconfined_u:system_r:prelink_t:s0 key=(null) A few m...

https://bugzilla.mindrot.org/show_bug.cgi?id=2361 Bug ID: 2361 Summary: seccomp filter (not only) for aarch64 Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at