audit 1.2.2 released
Michael C Thompson
thompsmc at us.ibm.com
Tue May 16 16:08:11 UTC 2006
Steve Grubb wrote:
> On Tuesday 16 May 2006 10:53, Michael C Thompson wrote:
>> I've "enchanced" this transcript with strace output (selective) and the
>> return code of the selinux_socket_recvmsg call.
>>
>>> # auditctl -l
>> sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
>> {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
>> poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1
>> recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\322\7\0\0\377\377\377\377\20\0"...,
>> 8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
>> groups=00000000}, [12]) = 36
>> -> selinux_sock_recvmsg returns 0
>>
>> recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\322\7\0\0\377\377\377\377\20\0"...,
>> 8476, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
>> [12]) = 36
>> -> selinux_sock_recvmsg returns 0
>
> This return code says -EPERM.
I'm sorry, but I've not spent enough time playing with sockets, how do
you determine the return code as -EPERM from the above output...
>>> # auditctl -l
>> sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
>> {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
>> poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1
>>
>> recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\326\7\0\0\0\0\0\0\20\0\0\0\365"...,
>> 8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
>> groups=00000000}, [12]) = 36
>> -> selinux_sock_recvmsg returns 0
>
> This return code shows the kernel has data.
and that this section has data? I'm just curious :)
Thanks,
Mike
More information about the Linux-audit
mailing list