On Thu, 2004-10-21 at 13:06, Colin Walters wrote:
> On my FC2 server, running strict policy, I am seeing a lot of these:
>
> audit(1098309975.693:0): avc:
> denied { getattr } for pid=12283 exe=/usr/sbin/sshd
> audit(1098309977.469:0): avc:
> denied { getattr } for pid=12293 exe=/usr/sbin/sshd
> audit(1098309984.374:0): avc:
> denied { getattr } for pid=12319 exe=/usr/sbin/sshd
> audit(1098309985.817:0): avc:
> denied { getattr } for pid=12325 exe=/usr/sbin/sshd
>
> Note the large amount of odd leading whitespace, and the lack of any
> additional information. Does anyone know anything about this?
I've seen this before, although not recently, and it has been reported
on this list by at least Russell Coker and Tom London. Seems to be
difficult to reproduce reliably. I don't know if there is a bugzilla on
it. Rik Faith, who wrote the audit framework, thought it looked similar
to an earlier bug in the audit code that he had fixed. I think Peter is
presently maintaining the code, cc'd.
What kernel are you running?
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
