The mq_open / mq_unlink problem (audit record == pointer + 1) is due to the way glibc implements mq_open, and is not a kernel bug.
From ./sysdeps/unix/sysv/linux/mq_open.c in GLibc...
mqd_t
mq_open (const char *name, int oflag, ...)
{
if (name[0] != '/')
{
__set_errno (EINVAL);
return -1;
}
[...]
return INLINE_SYSCALL (mq_open, 4, name + 1, oflag, mode, attr);
}
...as you can see, when the API is passed "/foo" glibc removes the /
giving the kernel just "foo". I think you'll have to special case this
in the audit testing.
--
James Antill <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
