http://bugzilla.suse.com/show_bug.cgi?id=944125 Bug ID: 944125 Summary: Kernel audit cannot be turned off for a desktop application Classification: openSUSE Product: openSUSE Factory Version: 201505* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: hguo@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The system is running the latest Tumbleweed snapshot. I start a terminal and run: root@g123 /h/howard# auditd -s disable root@g123 /h/howard# auditctl -e 0 enabled 0 flag 1 pid 9409 rate_limit 0 backlog_limit 64 lost 3014 backlog 0 backlog_wait_time 60000 Then start Opera browser (31.0) on KDE desktop. However, kernel audit does not appear disabled for Opera browser, as I observe many audit trails coming with tab open/close operations. Examples: Sep 02 09:40:47 g123 opera[12593]: <audit-1326> auid=1000 uid=1000 gid=100 ses=2 pid=12593 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7fd10556111f code=0x50000 Sep 02 09:40:47 g123 opera[9956]: <audit-1326> auid=1000 uid=1000 gid=100 ses=2 pid=9956 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7fd106b56444 code=0x50000 In the meanwhile, auditctl confirms that auditing is disabled. So it appears that kernel audit cannot be turned off for certain desktop applications, or auditctl is giving false reports. -- You are receiving this mail because: You are on the CC list for the bug.