[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Unable to login

On Saturday 11 June 2005 11:40, James Morris wrote:
> I'm unable to login to current rawhide and the 2.6.12-rc6 kernel, with
> auditd enabled.
> I think these audit.log messages are the cause:
> type=KERNEL msg=audit(1118503063.368:248607): SELinux:  unrecognized
> netlink message type=1100 for sclass=49
> type=KERNEL msg=audit(1118503063.368:248607): syscall=102 arch=40000003
> success=no exit=-22 a0=b a1=bfc3ab10 a2=7150f8 a3=66 items=0
>  pid=1916 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 comm=login exe=/bin/login

This message appears to come from SE Linux. The KERNEL message type should not 
be used for that kind of message. It needs to have its own type so that it 
doesn't break the parsers. FWIW, that message is AUDIT_USER_AUTH which is 
being sent by pam. It requires netlink relay permissions.

> No diagnostics are displayed on the console though.

That would be application specific.

> Can auditd translate Unix epochs into human readable timestamps?

auditd just writes to disk. ausearch >= 0.9.1 should be able to translate 
everything using the -i parameter. To see only the above message, use:

ausearch -i -a 248607


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]