search for: auid

How to resolve this SElinux problem? type=USER_AVC msg=audit(1513478641.700:1920): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=0 uid=0 gid=0 cmdline="/usr/bin/systemctl reload named-chroot.service" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=&quot...

...h audit2allow from the /var/log/message The modules seem to work fine, because old avc denied messages desappeard ... but some messages like the following appear at /var/log/messages when I do a semodule -i modulename or semodule -r modulename : Oct 5 20:16:11 orion kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' Oct 5 20:16:11 orion kernel: audit(1223252171.572:8): policy loaded auid=4294967295 ses=4294967295 Oct 5 20:16:41 orion kernel: audit(1223252201.673:9): user pid=2172 uid=81 auid=4294967295 subj=system_u:system_r:system_dbus d_t:s0 msg='avc: received...

...failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator ./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator ./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)' ./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user pid=15670 uid=0 auid=4294967295 msg='PAM authentic...

On 04/26/2017 04:22 AM, Gordon Messmer wrote: > On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >> This made the same content as before that caused problems: > > I still don't understand, exactly. Are you seeing *new* problems > after installing a policy? What are the problems? > >> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.

On Tue, Mar 14, 2017 at 02:46:19PM -0400, Ron Wheeler wrote: > https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html > > If disabling Selinux solves your problem, then your problem may be related > to Selinux. > If it does not change yout problem, you may want to look

The recently-left programmer did *something*, and he didn't know what, and the guy who picked it up is working with me to find out why /var/log/messages is getting flooded with Oct 26 11:01:06 <servername> kernel: type=1105 audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11...

...ite3" dev="dm-0" ino=100884225 scontext=system_u:system_r:asterisk_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file > type=SYSCALL msg=audit(1489588773.253:1171): arch=c000003e syscall=2 success=no exit=-13 a0=aa5080 a1=80000 a2=1a4 a3=aa5080 items=0 ppid=1485 pid=3838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="asterisk" exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t:s0 key=(null) > type=AVC msg=audit(1489588777.432:1172): avc: denied { getattr } for pid=3844 comm="...

...ville at edpnet.be Hi, Whit the current code in 6.6p1, the linux auditing code is generating multiples USER_LOGIN when either an unknown user or a wrong password of an existing user is used. With an unknown user, I get the following: type=USER_LOGIN msg=audit(1402608427.317:143): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed' type=USER_LOGIN msg=audit(1402608427.317:144): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/...

...stemd[1]: Listening on Journal Socket (/dev/log). [ 152.045723] systemd[1]: Reached target Remote File Systems. [ 152.047281] systemd[1]: Created slice system-getty.slice. [ 152.047305] systemd[1]: Reached target Login Prompts. [ 152.592880] audit: type=1130 audit(1565977308.276:2): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 152.607239] systemd-journald[305]: Received request to flush runtime journal from PID 1 [ 152.679482] audit: type=1130 audit(1...

..." dev=0:23 ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1329395502.678:61926): arch=c000003e syscall=4 success=no exit=-13 a0=7fef342bc080 a1=7fffaf747370 a2=7fffaf747370 a3=7fef30c65c30 items=0 ppid=25673 pid=25674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1329395502.681:61927): avc: denied { search } for pid=25674 comm="httpd" name=""...

...hda1) in ext3_reserve_inode_write: Journal has aborted EXT3-fs error (device hda1) in ext3_delete_inode: Journal has aborted ext3_abort called. EXT3-fs error (device hda1): ext3_journal_start_sb: Detected aborted journal Remounting filesystem read-only audit(1204110895.260:2): audit_pid=0 old=0 by auid=4294967295 audit(1204110895.270:3): audit_backlog_limit=256 old=64 by auid=4294967295 NET: Registered protocol family 10 lo: Disabled Privacy Extensions IPv6 over IPv4 tunneling driver the configuration file is, kernel = "/boot/vmlinuz-2.6.18.8-xen" ramdisk = "/boot/initrd-2.6.18....

...::ffff:[server], TLS Aug 5 21:01:34 [hostname] dovecot: imap-login: Aborted login: user=<[me]>, method=PLAIN, rip=::ffff:[server], lip=::ffff:[server], TLS I'm getting the following messages in /var/log/audit/audit.log: type=USER_AUTH msg=audit(1217984152.016:347): user pid=7669 uid=0 auid=10243 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct="[me]" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:[client], addr=::ffff:[client], terminal=dovecot res=success)' type=USER_ACCT msg=audit(1217984152.017:348): user pid=7669 uid=...

...bject_r:svirt_image_t:s0:c122,c658 vm1.img -rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c122,c658 vm2.img Trying to read/write on vm1 will generate AVC messages Seen following message in /var/log/audit/audit.log : type=VIRT_RESOURCE msg=audit(1332310867.790:10312): user pid=5114 uid=0 auid=0 ses=3 subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=attach vm="vm2" uuid=b07607f8-2d03-cc1f-272b-22863667d1a4 old-disk="?" new-disk="/var/lib/libvirt/images/vm1.img": exe=2F7573722F7362696E2F6C69627669727464202864656C6574656429...

Since updating to 4.2 my Opteron server has been flooded by messages like: audit(1129565701.837:155): user pid=4700 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' to both /var/log/messages and the kernel ring buffer. Looks like they are being generated by cron jobs being run on the server. Does anyone know how to turn th...

...de" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168999.456:2350): arch=c000003e syscall=4 success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300 a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1506168999.456:2351): avc: denied { open } for pid=28956 comm=...

...lt the server program does not accept connections. When compiled without the sandbox all is good. When inspecting closer it looks like the fork of sshd is killed by SIGSYS signal due to an access violation. Kernel log at the time of crash: [147024.127628] audit: type=1326 audit(1718443919.577:9): auid=1000 uid=103 gid=65534 ses=298 pid=17516 comm="sshd" exe="/home/pi/openssh-9.7p1/sshd" sig=31 arch=40000028 syscall=384 compat=1 ip=0xf798d330 code=0x0 I am also attaching the strace of sshd and its children. I tested this on x86 debian with the same setup, same seccomp kernel...

...it(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { setgid } for pi...

...ful 2023-01-28T09:07:25+1100 nut-driver at ups[1259]: Network UPS Tools - UPS driver controller 2.8.0 2023-01-28T09:07:25+1100 systemd[1]: Started nut-driver at ups.service - Network UPS Tools - device driver for NUT device 'ups'. 2023-01-28T09:07:25+1100 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=nut-driver at ups comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' 2023-01-28T09:07:25+1100 systemd[1]: Reached target nut-driver.target - Network UPS Tools - target for power device d...

...u:system_r:container_t:s0:c62,c364 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > > > type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 > syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1 > a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000 > euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 > ses=2 comm=bash exe=/bin/bash > subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64 > SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos > FSUID=lacos...

On 3/22/23 12:42, Daniel P. Berrang? wrote: > On Wed, Mar 22, 2023 at 12:13:49PM +0100, Laszlo Ersek wrote: >> On 3/22/23 11:42, Laszlo Ersek wrote: >> >>> Now the "podman build -f ci/containers/alpine-edge.Dockerfile -t >>> libnbd-alpine-edge" command is failing with a different error message -- >>> the download completes, but the internal