Describe the bug
Kernel floods the log with audit: error in audit_log_subj_ctx (783 occurrences in a single boot), plus kauditd hold queue overflow and kauditd_printk_skb: N callbacks suppressed. Subject context (subj=...) is missing from early-boot audit records (netlabel init).
This is the same upstream 6.18+ audit regression discussed on the Manjaro forum, traced to the "Audit: Add record for multiple object contexts" patch series.
Not a duplicate of #847: that issue was a bootloader entry missing lsm=/apparmor= params. Here the cmdline is correct and AppArmor is fully loaded, yet the error persists.
Environment
linux-cachyos 7.0.11-1 (clang 22.1.6, built 2026-06-05), Limine bootloader
apparmor 5.0.1-1, audit 4.1.4-2.1
- cmdline:
... lsm=landlock,lockdown,yama,integrity,bpf,apparmor
aa-enabled -> Yes
/sys/kernel/security/lsm -> capability,landlock,lockdown,yama,bpf,apparmor
To reproduce
- Boot 7.0.11 with apparmor in
lsm= and active auditd rules
journalctl -b -k | grep -c audit_log_subj_ctx -> non-zero
Note
Post #11 of the Manjaro thread (add apparmor to lsm=) does not fix it here, since the LSM context is already correct. Appears to be a genuine kernel-side error path when secctx is unavailable for early netlabel events. Filing for awareness / possible upstream backport.
Describe the bug
Kernel floods the log with
audit: error in audit_log_subj_ctx(783 occurrences in a single boot), pluskauditd hold queue overflowandkauditd_printk_skb: N callbacks suppressed. Subject context (subj=...) is missing from early-boot audit records (netlabel init).This is the same upstream 6.18+ audit regression discussed on the Manjaro forum, traced to the "Audit: Add record for multiple object contexts" patch series.
Not a duplicate of #847: that issue was a bootloader entry missing
lsm=/apparmor=params. Here the cmdline is correct and AppArmor is fully loaded, yet the error persists.Environment
linux-cachyos 7.0.11-1(clang 22.1.6, built 2026-06-05), Limine bootloaderapparmor 5.0.1-1,audit 4.1.4-2.1... lsm=landlock,lockdown,yama,integrity,bpf,apparmoraa-enabled->Yes/sys/kernel/security/lsm->capability,landlock,lockdown,yama,bpf,apparmorTo reproduce
lsm=and active auditd rulesjournalctl -b -k | grep -c audit_log_subj_ctx-> non-zeroNote
Post #11 of the Manjaro thread (add apparmor to
lsm=) does not fix it here, since the LSM context is already correct. Appears to be a genuine kernel-side error path when secctx is unavailable for early netlabel events. Filing for awareness / possible upstream backport.