From: russell@coker.com.au (Russell Coker) Date: Wed, 25 Jun 2014 13:55:54 +1000 Subject: [refpolicy] read via mprotect? Message-ID: <8185646.XMy085l2vZ@russell.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com type=AVC msg=audit(1403661301.411:163): avc: denied { read } for pid=12314 comm="sa1" path="/bin/dash" dev="dm-0" ino=848 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=SYSCALL msg=audit(1403661301.411:163): arch=c000003e syscall=10 success=yes exit=0 a0=7f6a131f2000 a1=2000 a2=1 a3=7f6a12fd71a8 items=0 ppid=12313 pid=12314 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sa1" exe="/bin/dash" subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) Syscall 10 on AMD64 is mprotect. Why would mprotect require read access? I tried running sa1 under gdb, but a breakpoint on mprotect wasn't triggered. Any suggestions on how to debug this? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/