Bug 246616

Summary: Strange audit messages
Product: [Fedora] Fedora Reporter: Joshua Covington <joshuacov>
Component: seeditAssignee: Yuichi Nakamura <ynakam>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-11 01:34:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
found in /var/log/audit/
none
found in /var/log/audit/
none
found in /etc/audit/
none
found in /etc/audit/
none
found in /etc/ none

Description Joshua Covington 2007-07-03 13:21:48 UTC 
Description of problem:
after updating to kde357 (using fc7) and installing and deinstalling (because of
numerous problems) 
seedit-2.1.1-2.fc7.1.i386.rpm                                            
seedit-gui-2.1.1-2.fc7.1.i386.rpm                                        
seedit-policy-2.1.1-2.fc7.1.i386.rpm                                     
selinux-doc-1.26-1.1.noarch.rpm 
i got lots of the following messages when shutting down:
----------------------------------------------
Jul 2 22:26:34 localhost auditd[1776]: The audit daemon is exiting.
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:95): audit_pid=0 old=1776
by auid=4294967295 subj=system_u:system_r:auditd_t:s0
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:96): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit rule for selinux 'dhclient_t' is invalid
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:97): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:98): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit rule for selinux 'mcstransd_t' is invalid
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:99): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:100): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:101): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit rule for selinux 'samba_t' is invalid
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:102): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:103): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:104): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:105): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:106): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:107): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:108): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:109): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
-----------------------------------------------------------------


I also now have problems with the combination "fn+sound up/down". I've anabled
the "microsoft natural pro/ internet pro" keyboard layout (in kde) but it
doesn't function anymore. and when trying to use the combination "fn+sound
up/down" I just see the status bar dialog going from 0 upto 11% but this doesn't
reflect the actuall volume level(and the level is actually 100% not 0% as
shown). in kde 356 it was ok and all keyboard shortcuts were functioning ok.


Version-Release number of selected component (if applicable):


How reproducible:
install the above packages
then, after relabelling the system what of the sys.processes wouldn't start
because of the se-rules.
start interractive startup and disbale the messagebus and the HAL deamon, go
into the X (kde) und deinstall the rpms.
after the new relabelling the problem occurs.


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
the kde keyboard layout with microsoft natural pro/ internet pro enabled,
enables lots of the fn keys on most laptops. and I think the kde-update has
nothing to do with the problem. maybe the seedit (which i had to delete manually
after deinstall from /etc/seedit and /ets/selinux/seedit/) is blocking somehow
the kde script that manages the keyboard.


Additional info:
Comment 1 Yuichi Nakamura 2007-07-03 23:36:34 UTC 
Hi.
There may be extra entries in audit.conf.
Can you tell me the contents of /etc/audit.conf ?
Comment 2 Joshua Covington 2007-07-05 14:06:54 UTC 
Created attachment 158585 [details]
found in /var/log/audit/
Comment 3 Joshua Covington 2007-07-05 14:07:44 UTC 
Created attachment 158586 [details]
found in /var/log/audit/
Comment 4 Joshua Covington 2007-07-05 14:08:12 UTC 
Created attachment 158587 [details]
found in /etc/audit/
Comment 5 Joshua Covington 2007-07-05 14:08:38 UTC 
Created attachment 158589 [details]
found in /etc/audit/
Comment 6 Joshua Covington 2007-07-05 14:09:01 UTC 
Created attachment 158590 [details]
found in /etc/
Comment 7 Joshua Covington 2007-07-05 14:11:03 UTC 
theses are the files that I found but no /etc/audit.conf. When I looked in them
there is nothing unusuall for me.
Comment 8 Joshua Covington 2007-07-05 14:16:22 UTC 
another user has this problem, too. here:
http://forums.fedoraforum.org/showthread.php?t=159800
Comment 9 Yuichi Nakamura 2007-07-06 00:02:47 UTC 
What happens you  delete following from audit.rules, and restart audit service?

-a exit,always -S chroot
-a exit,always -S chdir -F obj_type=dhclient_t
-a exit,always -S chdir -F obj_type=sendmail_t
-a exit,always -S chdir -F obj_type=mcstransd_t
-a exit,always -S chdir -F obj_type=sshd_t
-a exit,always -S chdir -F obj_type=ntpd_t
-a exit,always -S chdir -F obj_type=samba_t
-a exit,always -S chdir -F obj_type=named_t
-a exit,always -S chdir -F obj_type=klogd_t
-a exit,always -S chdir -F obj_type=crond_t
-a exit,always -S chdir -F obj_type=httpd_t
-a exit,always -S chdir -F obj_type=auditd_t
-a exit,always -S chdir -F obj_type=portmap_t
-a exit,always -S chdir -F obj_type=syslogd_t
Comment 10 Joshua Covington 2007-07-09 18:45:06 UTC 
ok, after deleting these rules and restarting the service i've got no more
messages. actually just one but i think it is from the audit service itself and
it reports that the service has exited or something like this.
actually i had a similar message before installing seedit.
the message is:
--------------------
Jul  6 20:07:42 localhost auditd[1753]: The audit daemon is exiting.
Jul  6 20:07:42 localhost audispd[1755]: input read: EOF
Jul  6 20:07:42 localhost kernel: audit(1183745262.457:277): audit_pid=0
old=1753 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
--------------------

as of this i think this problem has been fixed. By thy way how all these rules
have been added to the rules.conf? I haven't made any manuall changes to these
files.
Comment 11 Yuichi Nakamura 2007-07-11 01:32:34 UTC 
...
-a exit,always -S chdir -F obj_type=dhclient_t
....

are added by seedit when converting policy.
These entries are necessary for seedit's policy generating component 
to obtain full path information from audit.log.
Comment 12 Yuichi Nakamura 2007-07-11 01:34:56 UTC 
And I fixed seedit to remove these entries from audit.rules when uninstalling
seedit.
I applied the change to svn.sourceforge.net/svnroot/seedit.
I think fixed seedit will be uploaded also to fedora in near future.
Comment 13 Joshua Covington 2007-07-11 17:51:10 UTC 
Thanks alot about this!

terefore I love fedora!
Comment 14 Joshua Covington 2007-07-12 15:13:42 UTC 
ok, the problem has been fixed (credit should go to Yuichi Nakamura) but when i
installed the seedit for the first time there was something strange.

it made me reboot and on the reboot there was a relabelling with the seedit
policy. after this a automatic restart and then lots of services wouldn't start
because of problems.

So i restarted in interective startup and didn't start the failed services. then
uninstalled the seedit, restart, relabel with the target-policy and the messages
appeared.

So in my opinion seedit shouldn't automatic relable and should be more
compatible with the other processes. But I cannot exactly remember what errors
appered because it was for about 2 weeks. :(

maybe this can help for a more user-friendly policy editor.
Comment 15 Yuichi Nakamura 2007-07-20 08:17:36 UTC 
Thanks for report.

> after this a automatic restart and then lots of services wouldn't start
> because of problems.
It is strange. 
In F7, seedit is not tested well, I have to test in F7 more.