James Antill wrote:
The mq_open / mq_unlink problem (audit record == pointer + 1) is due to the way glibc implements mq_open, and is not a kernel bug.From ./sysdeps/unix/sysv/linux/mq_open.c in GLibc... mqd_t mq_open (const char *name, int oflag, ...) { if (name[0] != '/') { __set_errno (EINVAL); return -1; } [...] return INLINE_SYSCALL (mq_open, 4, name + 1, oflag, mode, attr); } ...as you can see, when the API is passed "/foo" glibc removes the / giving the kernel just "foo". I think you'll have to special case this in the audit testing.
Thanks James, that's retarded. Mike -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
