auditd shutdown issue
Bill O'Donnell
billodo at sgi.com
Mon May 7 16:38:56 UTC 2007
On Mon, May 07, 2007 at 12:12:52PM -0400, Steve Grubb wrote:
| On Monday 07 May 2007 11:56, Bill O'Donnell wrote:
| > Stopping auditd:audit(1178276231.766:704): avc: denied { write } for
| > pid=2911 comm="auditd" name="log" dev=tmpfs ino=10195
| > scontext=system_u:system_r:auditd_t:s0
| > tcontext=system_u:object_r:device_t:s0 tclass=sock_file
|
| This would seem to indicate you have a mislabeled system. You should not have
| a label of device_t type unless you have hardware we've not seen. Without
| knowing more about how you got in this situation, its hard to say exactly
| what the problem is. I'd start by relabeling your system.
It is quite likely this is hardware that is new to SELinux. We're going
ahead with relabeling. Is there another log somewhere that can indicate the
success, or lack thereof, of the labeling?
More information about the Linux-audit
mailing list