Anyone have any idea on what is causing the following: # auditctl -e 1 # auditctl -a entry,always -S execve # /bin/true Causes the following to be logged in /var/log/audit/audit.log type=SYSCALL msg=audit(1243557456.840:32): arch=80000016 syscall=11 per=400000 success=yes exit=11 a0=2aaaaba2a50 a1=2aaaaba38a0 a2=2aaaabb6f70 a3=200001e26b0 items=2 ppid=1625 pid=1704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="true" exe="/bin/true" key=(null) Specific to S390 and the execve syscall. I looked through the arch code but I'm not seeing why on the exec case the exit code contains the syscall#. Above reproduced on 2.6.30-rc7-git2. Thanks Tony -- To unsubscribe from this list: send the line "unsubscribe linux-s390" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
