On Thu, 2008-10-30 at 07:46 -0500, LC Bruzenak wrote: > On Thu, 2008-10-30 at 06:34 -0400, Steve Grubb wrote: > > > > Nope...somewhere the pam originating events are being eaten. You might > > strace > > an xdm login and look for some sendto's followed immediately by recvfrom's > > to > > the audit socket. If they are missing entirely, then xdm is not calling > > pam. > > If they are there, we'd want to look at the return code to see if its > > having > > an error. Is xdm running as root at the point pam is called? Are there > > selinux rules? Are there dontaudit rules eating this? > >
I removed the dontaudits with semodule -DB and the events are still not there. So I don't think my policy is eating them. Also no strace joy yet because it looks like xdm launches something else which does the authentication. So I went back to the gdm session which audits. I thought if I could see the strace from that I'd know what to look for on the failing one. Here is the USER_LOGIN event: node=hugo type=USER_LOGIN msg=audit(10/30/2008 08:55:53.356:278784) : user pid=7417 uid=root auid=lenny subj=system_u:system_r:xdm_t:s0-s15:c0.c1023 msg='uid=lenny exe=/usr/libexec/gdm-session-worker (hostname=, addr=?, terminal=/dev/tty7 res=success)' So I attached strace to the running "gdm-session-worker" process but that strace isn't particularly insightful (to me at least). How do I know which one is the audit socket? I ran a known audit test program and there I could deduce the audit socket because I could see the text I was sending in the strace; e.g.: sendto(4, "\274\0\0\0a\4\5\0\1\0\0\0\0\0\0\0real-pri=2, real"..., 188, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 188 But looking earlier in the strace doesn't give me much clue as to FD=4 being the audit socket. Any suggestions are welcome; thanks again for the help! LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit