Bug ID 944125
Summary Kernel audit cannot be turned off for a desktop application
Classification openSUSE
Product openSUSE Factory
Version 201505*
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Kernel
Assignee kernel-maintainers@forge.provo.novell.com
Reporter hguo@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

The system is running the latest Tumbleweed snapshot.

I start a terminal and run:

root@g123 /h/howard# auditd -s disable
root@g123 /h/howard# auditctl -e 0
enabled 0
flag 1
pid 9409
rate_limit 0
backlog_limit 64
lost 3014
backlog 0
backlog_wait_time 60000

Then start Opera browser (31.0) on KDE desktop. However, kernel audit does not
appear disabled for Opera browser, as I observe many audit trails coming with
tab open/close operations. Examples:

Sep 02 09:40:47 g123 opera[12593]: <audit-1326> auid=1000 uid=1000 gid=100
ses=2 pid=12593 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0
arch=c000003e syscall=2 compat=0 ip=0x7fd10556111f code=0x50000
Sep 02 09:40:47 g123 opera[9956]: <audit-1326> auid=1000 uid=1000 gid=100 ses=2
pid=9956 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0
arch=c000003e syscall=273 compat=0 ip=0x7fd106b56444 code=0x50000


In the meanwhile, auditctl confirms that auditing is disabled.

So it appears that kernel audit cannot be turned off for certain desktop
applications, or auditctl is giving false reports.

You are receiving this mail because: