aduitd failing to start

Thu Mar 20 16:42:19 UTC 2008

>>Hi Stephen,
>>   Thank you for the reply. I interactively generated the new policy
>>modules and inserted it. I repeated 6 times. Now auditd do not start
and
>>no selinux related messages in the system logs. Only message I see is
>>"The audit daemon is exiting". No messages in /var/log/audit either. 

>>I tried setting selinux in permissive mode, and auditd won't start in
>>this mode.

>>With out enabling audit I cannot put this server in production. Any
>>input greatly appreciated.

What precise output do you get upon:
	# /sbin/service auditd restart

Output I get is 
Starting auditd:                                           [FAILED]

And what is your audit configuration (under /etc/audit)?

Below is the content of /etc/audit/auditd.conf file

#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 4
dispatcher = /sbin/audispd
disp_qos = lossy
max_log_file = 30
max_log_file_action = ROTATE
space_left = 75
#space_left_action = SYSLOG
space_left_action = email
action_mail_acct = scook at ntis.gov
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

No output in /var/log/audit/audit.log?

No entry gets logged into /var/log/audit/audit.log

BTW I forgot to mention this in my earlier emails...sorry....sorry, I
hope this might help. Audit used to work and stopped working, this is
the sequence of events happened before audit stopped.

1. I set SELinux to disabled (I think, no sure about permissive), since
apache and java app was causing lot of issues while startup. To debug
this issue I had to disable selinux.

2. Finally I figured it was something else that caused apache and java
app errors. 

3. Then I enabled SELinux and created /.autorelabel and rebooted it.
When I was going through system check list then I found out that audit
was starting. Here is the last couple of entries (on Feb 29th, 08) in
/var/log/audit.log 

type=CWD msg=audit(1204313263.896:1829993):  cwd="/"
type=PATH msg=audit(1204313263.896:1829993): item=0
name="/usr/lib/locale/locale-archive" inode=12838402 dev=08:03
mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:locale_t:s0
type=SYSCALL msg=audit(1204313263.896:1829994): arch=40000003 syscall=5
success=yes exit=3 a0=9c0bce8 a1=8000 a2=0 a3=8000 items=1 ppid=10587
pid=10597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="id" exe="/usr/bin/id"
subj=system_u:system_r:initrc_t:s0 key=(null)
type=CWD msg=audit(1204313263.896:1829994):  cwd="/"
type=PATH msg=audit(1204313263.896:1829994): item=0
name="/proc/self/task/10597/attr/current" inode=694485046 dev=00:03
mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0
type=SYSCALL msg=audit(1204313263.896:1829995): arch=40000003 syscall=5
success=yes exit=6 a0=91c9630 a1=8000 a2=0 a3=8000 items=1 ppid=1
pid=2278 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd"
subj=system_u:system_r:setrans_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1204313263.896:1829995):  cwd="/"
type=PATH msg=audit(1204313263.896:1829995): item=0
name="/proc/10597/attr/current" inode=694485016 dev=00:03 mode=0100666
ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0
type=SYSCALL msg=audit(1204313263.897:1829996): arch=40000003 syscall=5
success=yes exit=3 a0=4424fb77 a1=0 a2=0 a3=ffffffff items=1 ppid=10587
pid=10598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="selinuxenabled"
exe="/usr/sbin/selinuxenabled" subj=system_u:system_r:initrc_t:s0
key=(null)
type=CWD msg=audit(1204313263.897:1829996):  cwd="/"

4. I once manually ran fixfiles. When did I run this? I don't remember
the sequence.

Thank for the help.