aduitd failing to start

Pad Hosmane phosmane at ntis.gov
Thu Mar 20 15:02:29 UTC 2008 

> i tried starting auditd again, it kept giving me messages for auditd
denied,
> right now i see this
> 
> Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc:  denied
{
> getattr } for  pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs
> ino=21080 scontext=user_u:system_
> r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc:  denied
{
> read } for  pid=3899 comm="auditd" laddr=xx.xx.xx.xx  lport=32769
> faddr=xx.xx.xx.xx  fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc:  denied
{
> read } for  pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
> faddr=xx.xx.xx.xx fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
> 
> I need help to resolve this above issue. Am i doing something wrong?
Can
> someone help me please.
> 
> i do not want to disable SELinux.

So on the first attempt, auditd only got so far in its initialization
before exiting and thus didn't generate the later set of audit messages.

You can keep interatively generating new policy modules as you did above
and inserting them until you get a working auditd, or you can just
switch to permissive mode temporarily (setenforce 0), start auditd to
generate the full set of audit messages, and generate the final policy
module in one go.  Then switch back to enforcing mode (setenforce 1).

A finer-grained way of doing this is coming via permissive domains,
where you can make a single domain permissive.  

-- 
Stephen Smalley
National Security Agency


Hi Stephen,
   Thank you for the reply. I interactively generated the new policy
modules and inserted it. I repeated 6 times. Now auditd do not start and
no selinux related messages in the system logs. Only message I see is
"The audit daemon is exiting". No messages in /var/log/audit either. 

I tried setting selinux in permissive mode, and auditd won't start in
this mode.

With out enabling audit I cannot put this server in production. Any
input greatly appreciated.

Thanks in advance.

More information about the fedora-selinux-list mailing list