[redhat-lspp] staff_u:auditadm_r:auditadm_t:SystemHigh unable to run_init

Michael C Thompson thompsmc at us.ibm.com
Tue Oct 17 14:52:40 UTC 2006 

Hey Dan,

It looks like auditadm is unable to use run_init at SystemHigh. Is this 
intended? The functionality I am looking for is for auditadm to be able 
to restart the audit daemon and view the audit log without changing 
levels. I am not sure if this desirable in terms of a certified system 
or not.

Below are the AVC messages I am seeing, also I've noticed that we are 
getting another (unrelated to this problem) AVC message, posted below too.

Thanks,
Mike

# run_init /etc/init.d/auditd status
Authenticating ealuser.
Password:
run_init: error while loading shared libraries: /lib/ld.so.1: cannot 
apply additional memory protection after relocation: Permission denied

# ls -Z /lib/ld.so.1
lrwxrwxrwx  root root system_u:object_r:lib_t:s0       /lib/ld.so.1 -> 
ld-2.5.so


run_init generates this unrelated AVC message pre-authentication:

type=AVC msg=audit(1161096443.514:2865): avc:  denied  { write } for 
pid=1483 comm="mcstransd" name="[94291]" dev=sockfs ino=94291 
scontext=system_u:system_r:setrans_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:setrans_t:s15:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1161096443.514:2865): arch=14 syscall=146 
success=no exit=-13 a0=5 a1=ff43f9cc a2=3 a3=0 items=0 ppid=1 pid=1483 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) comm="mcstransd" exe="/sbin/mcstransd" 
subj=system_u:system_r:setrans_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1161096443.514:2865):  path="socket:[94291]"


run_init generated these messges post-authentication:

type=AVC msg=audit(1161096470.006:2867): avc:  denied  { getattr } for 
pid=1483 comm="mcstransd" 
scontext=system_u:system_r:setrans_t:s0-s15:c0.c1023 
tcontext=staff_u:auditadm_r:run_init_t:s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1161096470.006:2867): arch=14 syscall=3 
success=no exit=-13 a0=6 a1=10022b68 a2=ffff a3=10032b68 items=0 ppid=1 
pid=1483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" 
subj=system_u:system_r:setrans_t:s0-s15:c0.c1023 key=(null)

type=AVC msg=audit(1161096470.018:2868): avc:  denied  { use } for 
pid=13225 comm="open_init_pty" name="ld-2.5.so" dev=hda3 ino=1781183 
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 
tcontext=staff_u:auditadm_r:run_init_t:s15:c0.c1023 tclass=fd
type=SYSCALL msg=audit(1161096470.018:2868): arch=14 syscall=125 
success=no exit=-13 a0=f7fd0000 a1=10000 a2=1 a3=100007ac items=0 
ppid=13111 pid=13225 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts1 comm="open_init_pty" 
exe="/usr/sbin/open_init_pty" 
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1161096470.018:2868):  path="/lib/ld-2.5.so"

More information about the redhat-lspp mailing list