aduitd failing to start

Stephen Smalley sds at tycho.nsa.gov
Thu Mar 20 12:36:42 UTC 2008 

On Wed, 2008-03-19 at 11:51 -0700, pselinux wrote:
> Hi,
>   I am on Red Hat Linux enterprise 5  (Dell 1950). Auditing is failing to
> start. This is the message in messages file
> 
> Mar 19 10:14:08 myhost kernel: input: USB HID v1.00 Keyboard [Silitek
> Standard USB Keyboard ] on usb-0000:00:1d.7-5.1
> Mar 19 10:14:36 myhost restorecond: Will not restore a file with more than
> one hard link (/etc/resolv.conf) No such file or directory 
> Mar 19 10:19:10 myhost restorecond: Will not restore a file with more than
> one hard link (/etc/resolv.conf) Invalid argument 
> Mar 19 10:20:22 myhost restorecond: Will not restore a file with more than
> one hard link (/etc/resolv.conf) Invalid argument 
> Mar 19 12:20:01 myhost dbus: Can't send to audit system: USER_AVC avc: 
> received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?,
> addr=?, terminal=?)
> Mar 19 12:27:42 myhost kernel: audit(1205944062.921:39): avc:  denied  {
> getattr } for  pid=32443 comm="auditd" path="/etc/resolv.conf" dev=sda3
> ino=15124046 scontext=user_u:system_r:auditd_t:s0
> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> Mar 19 12:27:42 myhost kernel: audit(1205944062.922:40): avc:  denied  {
> connect } for  pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost kernel: audit(1205944062.922:41): avc:  denied  {
> connect } for  pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost kernel: audit(1205944062.922:42): avc:  denied  {
> connect } for  pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost kernel: audit(1205944062.923:43): avc:  denied  {
> connect } for  pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost auditd: The audit daemon is exiting.
> 
> then i did the following
> 
> get auditd /var/log/messages|audit2allow -M auditsocket
> semodule -i auditsocket.pp
> 
> i tried starting auditd again, it kept giving me messages for auditd denied,
> right now i see this
> 
> Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc:  denied  {
> getattr } for  pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs
> ino=21080 scontext=user_u:system_
> r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc:  denied  {
> read } for  pid=3899 comm="auditd" laddr=xx.xx.xx.xx  lport=32769
> faddr=xx.xx.xx.xx  fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.513:119): avc:  denied  {
> read } for  pid=3899 comm="auditd" laddr=xx.xx.xx.xx  lport=32769
> faddr=xx.xx.xx.xx  fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.514:120): avc:  denied  {
> read } for  pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
> faddr=xx.xx.xx.xx  fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc:  denied  {
> read } for  pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
> faddr=xx.xx.xx.xx fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
> 
> I need help to resolve this above issue. Am i doing something wrong? Can
> someone help me please.
> 
> i do not want to disable SELinux.

So on the first attempt, auditd only got so far in its initialization
before exiting and thus didn't generate the later set of audit messages.

You can keep interatively generating new policy modules as you did above
and inserting them until you get a working auditd, or you can just
switch to permissive mode temporarily (setenforce 0), start auditd to
generate the full set of audit messages, and generate the final policy
module in one go.  Then switch back to enforcing mode (setenforce 1).

A finer-grained way of doing this is coming via permissive domains,
where you can make a single domain permissive.  

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list