Re: Lots a permission denied activity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2018-07-16 at 14:27 -0400, Steve Grubb wrote:
> Hello,
> 
> I have been testing a new set of audit rules and have run across some 
> processes that are doing things that might out to be changed. Typically, 
> audit users expect a normally functioning system to not be noisy. There is a 
> requirement to audit failed file access due to permission denied. What I'm 
> finding is that two processes are generating tens of thousands of events 
> every day.
> 
> There is a /usr/libexec/tracker-extract process that searches my directories 
> about every 11 seconds. I can imagine on a laptop that would be a lot of disk 
> activity. Sometimes I use root in my home directory and accidentally create 
> files owned by root. This leads to a lots of events on my system. Does it 
> really need to run with this frequency?

It backs the live searches you can do via the GNOME overview, so for
those to be actually accurate (and I'd assume people often want to find
recently-touched content), yeah, it kinda has to run a lot. Probably
best asked on the desktop@ list, anyway.

> But I also see one that I just don't understand. Every 12 seconds, /usr/lib/
> systemd/systemd calls openat with write flags to open 
> 
> /sys/fs/cgroup/cpu/cgroup.procs
> /sys/fs/cgroup/cpuacct/cgroup.procs
> /sys/fs/cgroup/blkio/cgroup.procs
> /sys/fs/cgroup/memory/user.slice/user-4325.slice/user@4325.service/
> cgroup.procs
> /sys/fs/cgroup/memory/user.slice/user-4325.slice/cgroup.procs
> /sys/fs/cgroup/memory/user.slice/cgroup.procs
> /sys/fs/cgroup/memory/cgroup.procs
> /sys/fs/cgroup/devices/user.slice/cgroup.procs
> /sys/fs/cgroup/devices/cgroup.procs
> /sys/fs/cgroup/pids/user.slice/user-4325.slice/user@4325.service/cgroup.procs
> /sys/fs/cgroup/pids/user.slice/user-4325.slice/cgroup.procs
> /sys/fs/cgroup/pids/user.slice/cgroup.procs
> /sys/fs/cgroup/pids/cgroup.procs
> 
> Which are all root owned files. This adds up to about 45,000 events a day. Is 
> there a purpose to opening those files? And if that was truly needed, should 
> it be logging failures? Are the permissions wrong? If the failures are 
> benign, why is it doing it at all?

No idea about this one.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/4HATHQMNF3S63TPY7S7FFQCRBHYCEQI6/




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux