Tim wrote:
Tim:
Though I've also found SELinux documentation to be less
than adequate to attempt configuring something manually.
Likewise for SELinux-related things. For instance, the audit.log is
just gibberish, to me. I can't look at it and see that something
happened at a particular time (like the messages log file), and the
content of some entries gives no clue as to what it means.
For example:
type=SOCKETCALL msg=audit(1123685491.877:78): nargs=6 a0=4 a1=bf8ce47c a2=10 a3=0 a4=bf8d0618 a5=c
type=CONFIG_CHANGE msg=audit(1123685491.878:83): audit_backlog_limit=256 old=64 by auid=4294967295
I can't even guess at what they might refer to.
Paul Howarth:
You might try:
# ausearch -a 78
(the number is the number following the colon in the audit(xxx:yyy)
part of the entry)
That should result in something a little more comprehansible.
Perhaps... ;-)
time->Thu Aug 11 00:21:31 2005
type=SOCKETCALL msg=audit(1123685491.877:78): nargs=6 a0=4 a1=bf8ce47c a2=10 a3=0 a4=bf8d0618 a5=c
type=SOCKADDR msg=audit(1123685491.877:78): saddr=100000000000000000000000
type=SYSCALL msg=audit(1123685491.877:78): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bf8cc320 a2=80510f8 a3=bf8d0618 items=0 pid=1426 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
type=SELINUX_ERR msg=audit(1123685491.877:78): SELinux: unrecognized netlink message type=1009 for sclass=49
But it, and about four other similar ones, seem just as
incomprehensible. ;-)
I might guess that it's something to do with /sbin/auditctl, but I don't
really know.
Is your system fully updated, particularly regarding the audit and
audit-libs packages? A google search for "unrecognized netlink message"
quickly shows up http://bugzilla.redhat.com/164733 (unrecognized netlink
message type=1009 for sclass=49 on shutdown), which is a duplicate of
http://bugzilla.redhat.com/163500 (shutdown error "localhost kernel:
audit: *NO* daemon at audit_pid=1824"), supposedly fixed in audit-1.0.2-2.
Paul.
