Marius Ghita <ghita.v.marius@xxxxxxxxx> writes: > I have the following audit message > > Raw Audit Messages > type=AVC msg=audit(1687022594.74:347): avc: denied { mmap_zero } for > pid=3953 comm="check" scontext=system_u:system_r:spc_t:s0 > tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0 > spc_t is used for privileged root mode containers > This warning gets triggered from time to time around system startup, and I > cannot find the process involved. The name check is too generic to use the > locate command and the process is no longer running by the time I would > have the chance to peek at the PID. > auditd is configured to suppress audit event generation by default: # auditctl -l -a never,task It means that you see only AVC type in audit log, e.g: # ausearch -m avc -ts recent ---- time->Tue Jun 20 05:44:14 2023 type=AVC msg=audit(1687254254.954:409): avc: denied { entrypoint } for pid=1307 comm="runcon" path="/usr/bin/ls" dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 In order to get more information related to AVC you need to drop "never,task" rule: # auditctl -D After that new audit events will contain more information: # ausearch -m avc -ts 05:48:02 ---- type=PROCTITLE msg=audit(06/20/2023 05:48:04.898:416) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls type=SYSCALL msg=audit(06/20/2023 05:48:04.898:416) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffcc618b5df a1=0x7ffcc6189488 a2=0x7ffcc6189498 a3=0x60 items=0 ppid=1207 pid=1323 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/20/2023 05:48:04.898:416) : avc: denied { entrypoint } for pid=1323 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 You can also enable a full auditing and get even more information: # auditctl -w /etc/shadow -p w ... # ausearch -m avc -i -ts 05:52:02 ---- type=PROCTITLE msg=audit(06/20/2023 05:52:31.059:419) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls type=PATH msg=audit(06/20/2023 05:52:31.059:419) : item=0 name=/bin/ls inode=151456 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/20/2023 05:52:31.059:419) : cwd=/root type=SYSCALL msg=audit(06/20/2023 05:52:31.059:419) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffc5b8945df a1=0x7ffc5b893708 a2=0x7ffc5b893718 a3=0x60 items=1 ppid=1207 pid=1335 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/20/2023 05:52:31.059:419) : avc: denied { entrypoint } for pid=1335 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 If you need this changes to be persistent you need to edit /etc/audit/rules.d/audit.rules _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue