Bug 490072

Summary: auditd hangs on startup if kernel is not compiled with auditing, causing boot to fail
Product: [Fedora] Fedora Reporter: Linus Torvalds <torvalds>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 10CC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 1.7.12-3.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-18 18:54:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Linus Torvalds 2009-03-13 03:52:26 UTC 
Description of problem:

The Fedora-10 boot sequence fails if the kernel is compiled with CONFIG_AUDIT=n

Version-Release number of selected component (if applicable):

audit-1.7.12-1.fc10.x86_64


How reproducible:

100% reproducible


Steps to Reproduce:
1. Configure kernel without CONFIG_AUDIT
2. Try to boot the system with 'auditd' enabled
3. No profit!
  
Actual results:

Hung boot, no login, no nothing

Expected results:

Auditd should just exit and the boot should continue, the way it used to work.

Additional info:

An 'strace' of the failure (done by disabling audit, booting into a kernel without auditing support, and then trying to enable auditing again) shows

3138  pipe([3, 4])                      = 0
3138  fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
3138  fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
3138  clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f7285cf2780) = 3139
3138  read(3,  <unfinished ...>

and note how buggy this is? That process 3138 should have closed its own copy of the output pipe (fd 4), but because it didn't do that, now when the child dies, the read() will never finish _anyway_, because the pipe writer is still open.

This bug seems to have been introduced about a week ago when I did a yum update on this machine:

/var/log/messages-20090308:Mar  4 07:51:47 nehalem yum: Updated: audit-libs-1.7.12-1.fc10.x86_64
/var/log/messages-20090308:Mar  4 07:51:49 nehalem yum: Updated: audit-1.7.12-1.fc10.x86_64
/var/log/messages-20090308:Mar  4 07:51:49 nehalem yum: Updated: audit-libs-python-1.7.12-1.fc10.x86_64

because before this, I've happily run Fedora-10 without audit support in the kernel forever.
Comment 1 Linus Torvalds 2009-03-13 03:58:19 UTC 
Oh, side note: I didn't actually confirm that it's CONFIG_AUDIT itself that is the only thing missing. I'm not going to bother enabling auditing in the kernel to see exactly what it is that makes auditd fail.

But the strace seems to imply that the failure to open /proc/self/loginuid is what makes the auditd children exit - it's just that auditd itself never exits once the children have exited, because as per above the 'read()' will never finish due to there still being a writer.
Comment 2 Steve Grubb 2009-03-13 10:01:04 UTC 
This problem was fixed in rawhide about a week ago. I'll push the change out to F-10 soon. Just in case you wanted the fix, it is here:

https://fedorahosted.org/audit/changeset/265
Comment 3 Fedora Update System 2009-03-15 00:20:18 UTC 
audit-1.7.12-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/audit-1.7.12-3.fc10
Comment 4 Steve Grubb 2009-03-15 00:23:54 UTC 
I built a new audit package that should fix this problem. I was waiting till a little closer to 2.6.29 release to push this out in case something else needed to be included in an update. In any event, please give the 1.7.12-3 package a try and see if that doesn't work better for you. Thanks for reporting the problem.
Comment 5 Fedora Update System 2009-03-16 19:46:00 UTC 
audit-1.7.12-3.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update audit'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2729
Comment 6 Steve Grubb 2009-03-17 20:26:12 UTC 
The updated audit package has been requested to be moved to the stable updates repository and should be available to everyone on the next push. Thanks for reporting the bug.
Comment 7 Fedora Update System 2009-03-18 18:54:32 UTC 
audit-1.7.12-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.