Re: audit messages on shutdown -- Netlink socket error

On Fri July 22 2005 11:19 pm, Claude Jones wrote:
> When I shutdown/reboot I get a string of audit messages - these are long
> rows of cryptic messages which pass by too quickly to be able to read - one
> part of a line reads "unrecognized netlink message type" - there are
> probably 10-12 rows of this and then the shutdown continues. There are no
> other indications of trouble. Can someone give me an idea of where to look
> for the cause of this? I've been reading the audid man page, and looked at
> ausearch, but I couldn't figured out how to use it since I don't really
> know what to look for.

Replying to me, I now add  this: in looking at my log for yesterday I find 
this entry:
-------------------- Selinux Audit Begin ------------------------ 

 **Unmatched Entries** 
  audit: initializing netlink socket (disabled)
  audit(1122028142.652:1): initialized 
 ---------------------- Selinux Audit End -------------------------

My netlink.h file, with commented sections removed looks like this:

struct sockaddr_nl
	sa_family_t	nl_family;	/* AF_NETLINK	*/
	unsigned short	nl_pad;		/* zero		*/
	__u32		nl_pid;		/* process pid	*/
       	__u32		nl_groups;	/* multicast groups mask */

struct nlmsghdr
	__u32		nlmsg_len;	/* Length of message including header */
	__u16		nlmsg_type;	/* Message content */
	__u16		nlmsg_flags;	/* Additional flags */
	__u32		nlmsg_seq;	/* Sequence number */
	__u32		nlmsg_pid;	/* Sending process PID */

/* Flags values */

/* Modifiers to GET request */


   Append		NLM_F_CREATE
   Check		NLM_F_EXCL

struct nlmsgerr
	int		error;
	struct nlmsghdr msg;

That fourth line looks suspicious, and is highlighted in a different color 
when I look that the file in Konqueror, but I'm not sure what is the cause of 
"unsigned short" and what I should do about it --- Can anyone help? 
Claude Jones
Bluemont, VA, USA

