Comment # 3 on bug 944125 from 
(In reply to Howard Guo from comment #2)
> Here are the audit messages coming from kernel:
> 
> Sep 03 09:21:23 g123 opera[27322]: <audit-1326> auid=1000 uid=1000 gid=100
> ses=2 pid=27322 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera"
> sig=0 arch=c000003e syscall=2 compat=0 ip=0x7ff3d07ef11f code=0x5
> 0000
> Sep 03 09:21:23 g123 kernel: audit: type=1326 audit(1441264883.110:5311):
> auid=1000 uid=1000 gid=100 ses=2 pid=27322 comm="opera"
> exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0 arch=c000003e syscall=2
> compat=0 
> ip=0x7ff3d07ef11f code=0x50000
> Sep 03 09:21:23 g123 opera[27322]: <audit-1326> auid=1000 uid=1000 gid=100
> ses=2 pid=27322 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera"
> sig=0 arch=c000003e syscall=2 compat=0 ip=0x7ff3d07ef11f code=0x5
> 0000
> Sep 03 09:21:23 g123 kernel: audit: type=1326 audit(1441264883.172:5312):
> auid=1000 uid=1000 gid=100 ses=2 pid=27322 comm="opera"
> exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0 arch=c000003e syscall=2
> compat=0 
> ip=0x7ff3d07ef11f code=0x50000

I understand they are coming from the kernel but which file are you extracting
them from?  As I said, the format of the messages is not normal.

> Interesting find:
> I have a systemd unit that runs a script as root, shortly after system boot.
> The script runs among other things:
> auditctl -e 0
> auditd -s disable

Why are you doing this? Just remove the auditd package.  It is not mandatory to
have it installed.   Delete it and it's unit file that starts audit will not be
run, so you don't need the above.   This may well be part of your problem.

> It appears that, if I open Opera before the systemd unit triggers, then
> close and restart Opera after the unit finishes its work, the kernel audit
> messages always resume. 

I don't know how opera actually works behind the scenes.  However, if auditctl
-s is 1 before your unit script runs,  tasks that run prior to your systemd
unit running will have an assigned audit context.    I would need to look at
the code in detail to know exactly what would happen here,  lots of message
types are special cased.

You are receiving this mail because: