Bug 476798

Summary: "auditd -n" does not work
Product: [Fedora] Fedora Reporter: Harald Hoyer <harald>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-26 17:48:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Hoyer 2008-12-17 07:35:41 UTC 
Starting auditd from upstart/inittab with "/sbin/auditd -n" does not work.
auditd bails out, complaining, that it is not allowed to fork :)
Comment 1 Harald Hoyer 2008-12-17 07:38:06 UTC 
/var/log/messages:

Cannot daemonize (Operation not permitted)
Comment 2 Steve Grubb 2008-12-17 12:02:11 UTC 
I believe this is because /dev/null may not exist yet. So, I instrumented the audit daemon to output a little more info about why it cannot daemonize. Please give the package here a try:

http://people.redhat.com/sgrubb/files/audit-1.7.11-1.src.rpm

Let me know what you find in syslog.
Comment 3 Harald Hoyer 2008-12-17 13:36:46 UTC 
(In reply to comment #2)
> I believe this is because /dev/null may not exist yet. 

hmm, no, this was tried from upstart and tried from shell.

> So, I instrumented the
> audit daemon to output a little more info about why it cannot daemonize. Please
> give the package here a try:
> 
> http://people.redhat.com/sgrubb/files/audit-1.7.11-1.src.rpm
> 
> Let me know what you find in syslog.

Dec 17 14:36:08 harryh kernel: audit(1229520968.001:239): audit_pid=0 old=495 auid=500 ses=1 subj=unconfined_u:system_r:auditd_t:s0 res=1
Dec 17 14:36:11 harryh auditd: Cannot changed session id
Dec 17 14:36:11 harryh auditd: Cannot daemonize (Operation not permitted)
Dec 17 14:36:11 harryh auditd: The audit daemon is exiting.
Comment 4 Steve Grubb 2008-12-17 14:12:11 UTC 
OK, that shows me what the problem is. It fails setsid() due to already being a session leader. I'll patch up the audit daemon and push it through the build system.
Comment 5 Steve Grubb 2008-12-17 15:19:10 UTC 
new audit packages can be found here:

http://koji.fedoraproject.org/koji/buildinfo?buildID=75101

Thanks for reporting the problem.
Comment 6 Harald Hoyer 2008-12-17 15:23:54 UTC 
Thanks! That was quick :)
Comment 7 Steve Grubb 2009-07-26 17:48:04 UTC 
Closing out since bug appears to be fixed long ago.