-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
False
-
-
False
-
None
-
rhel-se-kernel
-
-
-
Low
DW: https://datawarehouse.cki-project.org/kcidb/tests/20938498
Rerun passed: https://beaker.engineering.redhat.com/jobs/11987575
syscalls_file/test ....... 1/3
syscalls_file/test ....... ok
syscall_module/test ......
syscall_module/test ...... 1/6 # Test 2 got: "256" (syscall_module/test at line 69)
# Expected: "0"
# syscall_module/test line 69 is: ok( $result, 0 ); # Did the load search find records?
# Failed test 3 in syscall_module/test at line 82
# syscall_module/test line 82 is: ok($found_name); # Was the load module found?
syscall_module/test ...... 5/6
syscall_module/test ...... Failed 2/6 subtests
syscall_socketcall/test ..
syscall_socketcall/test .. 1/3
syscall_socketcall/test .. ok
time_change/test .........
time_change/test ......... 1/84
time_change/test ......... 76/84
time_change/test ......... ok
user_msg/test ............
user_msg/test ............ 1/2
user_msg/test ............ ok
Test Summary Report
-------------------
syscall_module/test (Wstat: 0 Tests: 6 Failed: 2)
Failed tests: 2-3
Files=18, Tests=203, 25 wallclock secs ( 0.05 usr 0.02 sys + 1.24 cusr 1.22 csys = 2.53 CPU)
Result: FAIL
Failed 1/18 test programs. 2/203 subtests failed.
make: *** [Makefile:58: test] Error 255
Running as user root
with context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
on system RHEL9
bpf/test .................
bpf/test ................. 1/3
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 05:36:52 ] :: [ LOG ] :: Attempt 1 failed :: [ 05:36:52 ] :: [ PASS ] :: Command 'cat results.log' (Expected 0, got 0) :: [ 05:37:17 ] :: [ LOG ] :: Attempt 2 failed :: [ 05:37:17 ] :: [ PASS ] :: Command 'cat results.log' (Expected 0, got 0) :: [ 05:37:42 ] :: [ LOG ] :: Attempt 3 failed :: [ 05:37:42 ] :: [ PASS ] :: Command 'cat results.log' (Expected 0, got 0) :: [ 05:37:42 ] :: [ FAIL ] :: All attempts failed! :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 76s :: Assertions: 3 good, 1 bad :: RESULT: FAIL (Test)
Test Analysis
The failing test does the following:
1. Sets up audit rules to monitor module operations:
- init_module and finit_module syscalls (for loading modules) with key $key-load
- delete_module syscall (for unloading modules) with key $key-unload
2. Loads and unloads the "arp_tables" module using modprobe/rmmod
3. Searches for audit records using ausearch -k <key> to verify the events were logged
4. Expects to find KERN_MODULE type records containing the module name
The failure occurs because ausearch returns exit code 1 (shown as 256 in the test output),
meaning no matching audit records were found.
● Root Cause Analysis
The failure happens at these specific lines in syscall_module/test:
- Line 69: ausearch -k $key-load returns 256 (exit code 1)
- Line 100: ausearch -k $key-unload returns 256 (exit code 1)
This indicates that no audit records are being found for module loading/unloading
operations.
Potential Causes
1. Audit subsystem issues:
- Audit may be disabled or in limited mode
- Insufficient audit buffer space
- Audit rules not taking effect
2. Module-specific issues:
- The arp_tables module may already be loaded
- Module loading might fail silently
- Module operations may not generate expected syscalls on this kernel version
3. Timing issues:
- Records may not be available immediately after module operations
- Sync markers might not be working properly
4. SELinux/security restrictions:
- Module operations may be restricted
- Audit logging may be blocked
- links to
