Re: arch=c00000b7 syscall=35

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Jun 2, 2023 at 1:32 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Zdenek,

ausearch only searches /var/log/audit/audit.log with SYSCALL number listed inside the audit.log
for example:
ausearch -i -sc 208
The ausearch command interprets all audited data:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=PROCTITLE msg=audit(06/02/2023 09:32:12.249:244) : proctitle=/usr/bin/python3 /usr/libexec/rhs
m-service
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=1 name=/run/dbus-BOb77zvRHz nametype=CREATE
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_
fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/02/2023 09:32:12.249:244) : cwd=/
type=SOCKADDR msg=audit(06/02/2023 09:32:12.249:244) : saddr={ saddr_fam=local path=/run/dbus-BOb77
zvRHz }
type=SYSCALL msg=audit(06/02/2023 09:32:12.249:244) : arch=x86_64 syscall=bind success=no exit=EACC
ES(Permission denied) a0=0x9 a1=0x7ffc3c871540 a2=0x16 a3=0x0 items=2 ppid=1 pid=3252 auid=unset ui
d=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=rhsm-service exe=/usr/bin/python3.11 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(06/02/2023 09:32:12.249:244) : avc:  denied  { create } for  pid=3252 comm=rhsm-
service name=dbus-BOb77zvRHz scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:r
hsmcertd_var_run_t:s0 tclass=sock_file permissive=0

There is also the ausyscall command
# ausyscall --dump | grep -w 208
208     io_getevents


Thanks.

----henry

On Thu, Jun 1, 2023 at 8:13 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Zdenek,

Would you please give a sample to run research to find out arch?
Thanks.

---henry

On Thu, Jun 1, 2023, 00:48 Zdenek Pytela <zpytela@xxxxxxxxxx> wrote:


On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Hi folks,

I want to analyze audit.log and see
arch=c00000b7 syscall=35

Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Hi,

You'd better use the ausearch/aureport commands with the -i switch to interpret them.

--

Zdenek Pytela
Security SELinux team


--

Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux