audit errors on shutdown in FC4

[Claude Jones]

On Thursday 28 July 2005 8:18 am, Steve G wrote:
> >Tonight, a yum update picked up new versions of audit, audit-libs, and
> >audit-libs-devel. Are these the kinds of patches you're referring to?
>
> Not really. The main thing about this round of updates is that it quietens
> messages that are caused by delete file system watches not being supported
> by current kernels.
>
> We have a reference audit implementation that I work to. We have just begun
> to get the filesystem watch implementation upstream. It was pointed out
> that there is some overlap between inotify and the audit system. So, we are
> trying to create a common framework that both audit and inotify can clip
> into. Then when this gets accepted upstream, Fedora will pick up the new
> kernel and all will be better. This process may take a month.
>

I need to learn more - I'm afraid you've gone over my head - but thanks. After 
the cited round of updates, I got this in my overnight logwatch: is there 
anything I need to get worried about? 

--------------------- Selinux Audit Begin ------------------------ 

 *** Denials ***
  system_u system_u (dir): 22 times
  system_u system_u (file): 34 times
  system_u system_u (netif): 2 times
  system_u system_u (netlink_audit_socket): 1 times
  system_u system_u (netlink_route_socket): 1 times
  system_u system_u (node): 2 times
  system_u system_u (sock_file): 3 times
  system_u system_u (tcp_socket): 5 times
  system_u system_u (udp_socket): 10 times
  system_u user_u (sock_file): 1 times
 
 **Unmatched Entries** (Only first 10 out of 89 are printed)
  The audit daemon is exiting.
  audit: *NO* daemon at audit_pid=1920
  audit(1122440737.973:10895603): arch=40000003 syscall=102 success=no 
exit=-22 a0=b a1=bf909cc0 a2=80510f8 a3=0 items=0 pid=17997 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" 
exe="/sbin/auditctl"
  audit(1122440737.973:10895603): saddr=100000000000000000000000
  audit(1122440737.973:10895603): nargs=6 a0=3 a1=bf90be1c a2=10 a3=0 
a4=bf90dfb8 a5=c
  audit(1122440738.074:10895623): SELinux:  unrecognized netlink message 
type=1009 for sclass=49
  audit(1122440738.074:10895623): arch=40000003 syscall=102 success=no 
exit=-22 a0=b a1=bf909ca0 a2=80510f8 a3=0 items=0 pid=17997 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" 
exe="/sbin/auditctl"
  audit(1122440738.074:10895623): saddr=100000000000000000000000
  audit(1122440738.074:10895623): nargs=6 a0=3 a1=bf90bdfc a2=10 a3=0 
a4=bf90df98 a5=c
  Init complete, auditd 0.9.15 listening for events 
 ---------------------- Selinux Audit End ------------------------- 

 --------------------- Cron Begin ------------------------ 

 
 **Unmatched Entries**
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mrtg)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/sysstat)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mailman)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mrtg)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/sysstat)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mailman)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mrtg)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/sysstat)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mailman)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing (/etc/crontab)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mrtg)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/sysstat)
 ENTRYPOINT FAILED but SELinux in permissive mode, continuing 
(/etc/cron.d/mailman)
 
 ---------------------- Cron End -------------------------
-- 
Claude Jones
Bluemont, VA, USA