On 2/7/20 2:56 PM, Paul Moore wrote: > > On February 7, 2020 2:18:33 PM Steve Grubb wrote: >> On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote: >>>> Doesn't seem much better: >>>> >>>> type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) : >>>> proctitle=/bin/bash /usr/bin/thunderbird >>>> type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64 >>>> syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018 >>>> a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER >>>> euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) >>>> ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird >>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>> key=watched_users >>>> Why no PATH entry? I have them for things like open: >>> >>> The kernel guys can probably answer this accurately. >> >> I would have thought that they would have chimed in by now. Since they didn't >> you might want to file an issue on github. I think you found a problem that >> someone should look into some day. > > One of them (me) is on vacation, and only dealing with emergencies as they arise - this isn't one of those. I'm not sure what Richard is doing, but you'll get an answer when I'm back in "the office" if Richard doesn't comment first. > > That said, it's always okay to file a GH issue. > > -- > paul moore > www.paul-moore.com Thanks, filed here: https://github.com/linux-audit/audit-kernel/issues/119 -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/