https://bugzilla.redhat.com/show_bug.cgi?id=1119849
--- Comment #11 from Lars Kellogg-Stedman <[email protected]> --- Okay: Prior to commit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb, audit events were only accepted in the root network namespace, and attempts to send audit events in other namespaces always resulted in ECONNREFUSED, which, as documented in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=543bc6a1a987672b79d6ebe8e2ab10471d8f1047, is a non-fatal error that will allow the sending process to continue on it's merry way. Running strace on docker using a kernel from 2f2ad10 (the immediately prior commit) yields, for example: 539 sendto(3, "p\0\0\0L\4\5\0\1\0\0\0\0\0\0\0op=PAM:authentication acct=\"root\" exe=\"/usr/bin/su\" hostname=? a"..., 112, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = -1 ECONNREFUSED (Connection refused) With commit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb, audit events are now accepted inside of all network namespaces. Since processes are now able to connect to the audit socket, they no longer receive a simple ECONNREFUSED and must instead pass the capability checks in kernel/audit.c. This means that need to have CAP_AUDIT_WRITE, and without that that will get an EPERM and will probably exit with an error. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ golang mailing list [email protected] https://lists.fedoraproject.org/mailman/listinfo/golang
