Waht does all this mean from logwatch, What are in plain speak unmatched entries?
--------------------- Selinux Audit Begin ------------------------
Number of audit daemon starts: 5
Number of audit daemon stops: 6
**Unmatched Entries** audit(1248863231.539:55834): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op=remove rule key=(null) list=2 res=1 audit(1248863231.539:55835): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 audit(1248865986.300:28653): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op=remove rule key=(null) list=2 res=1 audit(1248865986.300:28654): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 audit(1248867118.172:28695): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op=remove rule key=(null) list=2 res=1 audit(1248867118.172:28696): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 config change requested by pid=9598 auid=500 subj=unconfined_u:system_r:initrc_t:s0 audit(1248871767.418:3339) config changed, auid=500 pid=9598 subj=unconfined_u:system_r:initrc_t:s0 res=success
---------------------- Selinux Audit End -------------------------
On 07/30/2009 04:49 AM, Frank Murphy wrote:
Waht does all this mean from logwatch, What are in plain speak unmatched entries?
--------------------- Selinux Audit Begin ------------------------
Number of audit daemon starts: 5
Number of audit daemon stops: 6
**Unmatched Entries** audit(1248863231.539:55834): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op=remove rule key=(null) list=2 res=1 audit(1248863231.539:55835): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 audit(1248865986.300:28653): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op=remove rule key=(null) list=2 res=1 audit(1248865986.300:28654): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 audit(1248867118.172:28695): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op=remove rule key=(null) list=2 res=1 audit(1248867118.172:28696): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 config change requested by pid=9598 auid=500 subj=unconfined_u:system_r:initrc_t:s0 audit(1248871767.418:3339) config changed, auid=500 pid=9598 subj=unconfined_u:system_r:initrc_t:s0 res=success
---------------------- Selinux Audit End -------------------------
These are audit messages, not SELinux AVC messages or any kind of SELinux message.
On 30/07/09 15:05, Daniel J Walsh wrote:
On 07/30/2009 04:49 AM, Frank Murphy wrote:
Waht does all this mean from logwatch, What are in plain speak unmatched entries?
--SNIP--
These are audit messages, not SELinux AVC messages or any kind of SELinux message.
They can be safely ignored then
On 07/30/2009 10:08 AM, Frank Murphy wrote:
On 30/07/09 15:05, Daniel J Walsh wrote:
On 07/30/2009 04:49 AM, Frank Murphy wrote:
Waht does all this mean from logwatch, What are in plain speak unmatched entries?
--SNIP--
These are audit messages, not SELinux AVC messages or any kind of SELinux message.
They can be safely ignored then
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes these messages are the audit system telling you that readahead added an removed some rules to the audit system at boot time.
I believe readahead now adds a rule to watch for all file opens at boot until it is finished, it then records the file opens and saves them, to reconfigure itself for the next boot, to be more efficient. Your mileage may vary.
So I think whatever is searching for these rules should ignore them as expected.
selinux@lists.fedoraproject.org