Skip to content

[BUG] kernel spams "audit: error in audit_log_subj_ctx" on 7.0.11 despite correct lsm=/apparmor config #878

Description

@YoshKoz

Describe the bug

Kernel floods the log with audit: error in audit_log_subj_ctx (783 occurrences in a single boot), plus kauditd hold queue overflow and kauditd_printk_skb: N callbacks suppressed. Subject context (subj=...) is missing from early-boot audit records (netlabel init).

This is the same upstream 6.18+ audit regression discussed on the Manjaro forum, traced to the "Audit: Add record for multiple object contexts" patch series.

Not a duplicate of #847: that issue was a bootloader entry missing lsm=/apparmor= params. Here the cmdline is correct and AppArmor is fully loaded, yet the error persists.

Environment

  • linux-cachyos 7.0.11-1 (clang 22.1.6, built 2026-06-05), Limine bootloader
  • apparmor 5.0.1-1, audit 4.1.4-2.1
  • cmdline: ... lsm=landlock,lockdown,yama,integrity,bpf,apparmor
  • aa-enabled -> Yes
  • /sys/kernel/security/lsm -> capability,landlock,lockdown,yama,bpf,apparmor

To reproduce

  1. Boot 7.0.11 with apparmor in lsm= and active auditd rules
  2. journalctl -b -k | grep -c audit_log_subj_ctx -> non-zero

Note

Post #11 of the Manjaro thread (add apparmor to lsm=) does not fix it here, since the LSM context is already correct. Appears to be a genuine kernel-side error path when secctx is unavailable for early netlabel events. Filing for awareness / possible upstream backport.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions