Auditd & Strict Policy 1.19

George J. Jahchan SELinux at
Fri May 20 07:12:20 UTC 2005

On a Bastilled FC3 latest kernel and with the strict SE Linux policy (1.19), if
not in permissive mode, the auditd daemon refuses to start with the following
error messages in /var/log/messages:

... Unable to set audit pid, exiting.
... Error sending failure mode request (Operation not permitted).

Once the daemon starts in permissive mode, it is not a problem to revert SE
Linux back to enforcing mode, the daemon stays up (and performs as expected).

Have started Fedora with audit=1 kernel option and enabled the noisy events in
SE Linux (make enableaudit & make load in the strict policy source directory),
auditd-related denials have all been explicitly allowed in our custom.te policy
under domains/misc. Auditd daemon still fails to start in enforcing mode, and no
selinux denials are generated when we try to start it.

Using the above method, we have been able to get the system to boot in enforcing
mode and run all the programs & daemons we needed to run (with no selinux
denials, except attempts to access shadow_t which is protected by an assertion
in the strict policy), except for auditd.

Any hints on how to resolve this issue?

More information about the fedora-selinux-list mailing list