I'm seeing strange audit messages like the following from cron jobs on a
couple of systems. Any idea what this might be about? I don't expect grep to
be needing execmem access and when I run a command matching the proctitle at
the shell prompt it doesn't need it.
type=PROCTITLE msg=audit(26/02/19 00:00:07.426:1130782) : proctitle=grep -m 1
-oP pid-file=\K.+$
type=SYSCALL msg=audit(26/02/19 00:00:07.426:1130782) : arch=x86_64
syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x10000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0
ppid=6557 pid=6559 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/bin/grep
subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(26/02/19 00:00:07.426:1130782) : avc: denied { execmem }
for pid=6559 comm=grep scontext=system_u:system_r:logrotate_t:s0
tcontext=system_u:system_r:logrotate_t:s0 tclass=process permissive=0
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
