From: russell@coker.com.au (Russell Coker)
Date: Wed, 25 Jun 2014 13:55:54 +1000
Subject: [refpolicy] read via mprotect?
Message-ID: <8185646.XMy085l2vZ@russell.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

type=AVC msg=audit(1403661301.411:163): avc:  denied  { read } for  pid=12314 
comm="sa1" path="/bin/dash" dev="dm-0" ino=848 
scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1403661301.411:163): arch=c000003e syscall=10 
success=yes exit=0 a0=7f6a131f2000 a1=2000 a2=1 a3=7f6a12fd71a8 items=0 
ppid=12313 pid=12314 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sa1" exe="/bin/dash" 
subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)

Syscall 10 on AMD64 is mprotect.  Why would mprotect require read access?

I tried running sa1 under gdb, but a breakpoint on mprotect wasn't triggered.  
Any suggestions on how to debug this?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/