https://bugzilla.novell.com/show_bug.cgi?id=786024 https://bugzilla.novell.com/show_bug.cgi?id=786024#c16 --- Comment #16 from Michal Vyskocil <mvyskocil@suse.com> 2013-02-28 13:19:11 UTC --- Created an attachment (id=527476) --> (http://bugzilla.novell.com/attachment.cgi?id=527476) strace output of vsftpd This is the full strace output, but I was not able to realize which syscall triggered the audit error. Note that process calls capset for CAP_AUDIT_WRITE (+ _CONTROL, which shall not be needed). I would not say there are no more capabilities to try. This is a part relevant starting with what audit_init do 7462 14:01:23.677346 socket(PF_NETLINK, SOCK_RAW, 9) = 4 7462 14:01:23.677412 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 7462 14:01:23.677463 socket(PF_NETLINK, SOCK_RAW, 0) = 5 7462 14:01:23.677499 bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 7462 14:01:23.677541 getsockname(5, {sa_family=AF_NETLINK, pid=1, groups=00000000}, [12]) = 0 7462 14:01:23.677583 sendto(5, "\24\0\0\0\26\0\1\3#U/Q\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 7462 14:01:23.677634 recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0#U/Q\1\0\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1\10\0\2\0\177\0\0\1\7\0\3\0lo\0\0<\0\0\0\24\0\2\0#U/Q\1\0\0\0\2\22\200\0\2\0\0\0\10\0\1\0\nd3Y\10\0\2\0\nd3Y\10\0\4\0\nd?\377\t\0\3\0eth0\0\0\0\0<\0\0\0\24\0\2\0#U/Q\1\0\0\0\2\27\200\0\3\0\0\0\10\0\1\0\225,\2106\10\0\2\0\225,\2106\10\0\4\0\225,\211\377\n\0\3\0wlan0\0\0\0", 4096}], msg_controllen=0, msg_flags=0}, 0) = 168 7462 14:01:23.677687 recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0#U/Q\1\0\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\24\0\6\0\377\377\377\377\377\377\377\377j\3\0\0j\3\0\0@\0\0\0\24\0\2\0#U/Q\1\0\0\0\n@\200\375\2\0\0\0\24\0\1\0\376\200\0\0\0\0\0\0>\227\16\377\376q\2767\24\0\6\0\377\377\377\377\377\377\377\377]\321\3\0]\321\3\0@\0\0\0\24\0\2\0#U/Q\1\0\0\0\n@\200\375\3\0\0\0\24\0\1\0\376\200\0\0\0\0\0\0\206:K\377\376[\253\314\24\0\6\0\377\377\377\377\377\377\377\377\241\322\3\0\241\322\3\0", 4096}], msg_controllen=0, msg_flags=0}, 0) = 192 7462 14:01:23.677730 recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#U/Q\1\0\0\0\0\0\0\0", 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 7462 14:01:23.677769 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 6 7462 14:01:23.677804 connect(6, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = 0 7462 14:01:23.677847 sendto(6, "\2\0\0\0\r\0\0\0\6\0\0\0hosts\0", 18, MSG_NOSIGNAL, NULL, 0) = 18 7462 14:01:23.677882 poll([{fd=6, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=6, revents=POLLIN}]) 7462 14:01:23.677936 recvmsg(6, {msg_name(0)=NULL, msg_iov(2)=[{"hosts\0", 6}, {"\310O\3\0\0\0\0\0", 8}], msg_controllen=24, {cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {7}}, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 14 7462 14:01:23.678022 mmap(NULL, 217032, PROT_READ, MAP_SHARED, 7, 0) = 0x7fc3b1cf7000 7462 14:01:23.678113 close(7) = 0 7462 14:01:23.678169 close(6) = 0 7462 14:01:23.678252 close(5) = 0 7462 14:01:23.678388 readlink("/proc/self/exe", "/usr/sbin/vsftpd", 4096) = 16 7462 14:01:23.678541 sendto(4, "\204\0\0\0L\4\5\0\1\0\0\0\0\0\0\0op=PAM:authentication acct=\"test\" exe=\"/usr/sbin/vsftpd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ftp res=success\0", 132, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 132 7462 14:01:23.678605 poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) 7462 14:01:23.678654 recvfrom(4, "\230\0\0\0\2\0\0\0\1\0\0\0005\357\377\377\377\377\377\377\204\0\0\0L\4\5\0\1\0\0\0\0\0\0\0op=PAM:authentication acct=\"test\" exe=\"/usr/sbin/vsftpd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ftp res=success\0", 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 152 7462 14:01:23.678709 recvfrom(4, "\230\0\0\0\2\0\0\0\1\0\0\0005\357\377\377\377\377\377\377\204\0\0\0L\4\5\0\1\0\0\0\0\0\0\0op=PAM:authentication acct=\"test\" exe=\"/usr/sbin/vsftpd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ftp res=success\0", 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 152 7462 14:01:23.678759 getuid() = 0 7462 14:01:23.678802 getuid() = 0 7462 14:01:23.678880 socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 7462 14:01:23.678927 connect(5, {sa_family=AF_FILE, sun_path="/dev/log"}, 110) = 0 7462 14:01:23.678977 sendto(5, "<82>Feb 28 14:01:23 vsftpd[1]: PAM audit_log_acct_message() failed: Operation not permitted", 91, MSG_NOSIGNAL, NULL, 0) = 91 7462 14:01:23.679050 close(4) = 0 But despite the recvfrom(4 did not failed, the Operation not permitted is returned, but I have no idea why. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.