Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1083513

Summary: augenrules fails to generate rules during auditd start
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Moriš <omoris>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: mmalik
Target Milestone: rc   
Target Release: 7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-151.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:24:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717785, 1077249    

Description Ondrej Moriš 2014-04-02 11:36:55 UTC 
Description of problem:

Recently auditd started using augenrules to read rules from /etc/auditd/rules.d/ and compile them into autogenerated file /etc/auditd/audit.rules which is then read by auditd (during the service start). 

Unfortunately there seem to be changes needed in MLS policy to allow this new functionality.

Version-Release number of selected component (if applicable):


How reproducible:

100% in MLS

Steps to Reproduce:
1. setenforce 1 
2. service auditd start

Actual results:

# service auditd start
Redirecting to /bin/systemctl start  auditd.service
Job for auditd.service failed. See 'systemctl status auditd.service' and 'journalctl -xn' for details.

# journalctl -xn 
-- Logs begin at Wed 2014-04-02 09:56:02 CEST, end at Fri 2014-04-04 11:08:01 CEST. --
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com kernel: type=1300 audit(1396438505.732:2721815): arch=c000003e syscall=2 success=no exit=-13 a0=7fffee88af62 a1=0 a2=0 a3=7fffee88a250 items=0 ppid=9234 pid=9241 auid=4294967295 uid=0 gid=0 e
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com kernel: type=1400 audit(1396438505.743:2721816): avc:  denied  { getattr } for  pid=9234 comm="augenrules" path="/etc/audit/audit.rules" dev="dm-1" ino=33888132 scontext=system_u:system_r:ini
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com kernel: type=1300 audit(1396438505.743:2721816): arch=c000003e syscall=4 success=no exit=-13 a0=1040a90 a1=7fff8e7420d0 a2=7fff8e7420d0 a3=8 items=0 ppid=1 pid=9234 auid=4294967295 uid=0 gid=
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com kernel: type=1400 audit(1396438505.754:2721817): avc:  denied  { getattr } for  pid=9242 comm="cp" path="/etc/audit/audit.rules" dev="dm-1" ino=33888132 scontext=system_u:system_r:init_t:s0-s
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com kernel: type=1300 audit(1396438505.754:2721817): arch=c000003e syscall=4 success=no exit=-13 a0=7fff56b70f64 a1=7fff56b6f650 a2=7fff56b6f650 a3=7fff56b6f380 items=0 ppid=9234 pid=9242 auid=42
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com augenrules[9234]: cp: failed to access ‘/etc/audit/audit.rules’: Permission denied
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com augenrules[9234]: No rules
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com augenrules[9234]: AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=320 lost=2193171 backlog=0
Apr 02 13:35:05 cc-vtoe5.lab.eng.brq.redhat.com systemd[1]: Failed to start Security Auditing Service.

# ausearch -m AVC -ts recent
time->Wed Apr  2 13:27:22 2014
type=SYSCALL msg=audit(1396438042.997:2721788): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7f54cc6832c0 a2=90800 a3=0 items=0 ppid=1 pid=8997 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438042.997:2721788): avc:  denied  { open } for  pid=8997 comm="auditd" path="/var/log/audit" dev="dm-6" ino=131 scontext=system_u:system_r:auditd_t:s15:c0.c1023 tcontext=system_u:object_r:initrc_var_log_t:s0 tclass=dir
type=AVC msg=audit(1396438042.997:2721788): avc:  denied  { read } for  pid=8997 comm="auditd" name="audit" dev="dm-6" ino=131 scontext=system_u:system_r:auditd_t:s15:c0.c1023 tcontext=system_u:object_r:initrc_var_log_t:s0 tclass=dir
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.020:2721789): arch=c000003e syscall=2 success=yes exit=4 a0=7fffc2b6c4fb a1=400 a2=7f54ca8fefd8 a3=7f54ca8fe7b8 items=0 ppid=1 pid=8997 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.020:2721789): avc:  denied  { open } for  pid=8997 comm="auditd" path="/var/log/audit/audit.log" dev="dm-6" ino=154 scontext=system_u:system_r:auditd_t:s15:c0.c1023 tcontext=staff_u:object_r:initrc_var_log_t:s0 tclass=file
type=AVC msg=audit(1396438043.020:2721789): avc:  denied  { read } for  pid=8997 comm="auditd" name="audit.log" dev="dm-6" ino=154 scontext=system_u:system_r:auditd_t:s15:c0.c1023 tcontext=staff_u:object_r:initrc_var_log_t:s0 tclass=file
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.037:2721790): arch=c000003e syscall=91 success=yes exit=0 a0=4 a1=180 a2=1 a3=0 items=0 ppid=1 pid=8997 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.037:2721790): avc:  denied  { setattr } for  pid=8997 comm="auditd" name="audit.log" dev="dm-6" ino=154 scontext=system_u:system_r:auditd_t:s15:c0.c1023 tcontext=staff_u:object_r:initrc_var_log_t:s0 tclass=file
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.051:2721791): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=12f9c50 a2=90800 a3=0 items=0 ppid=9002 pid=9003 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ls" exe="/usr/bin/ls" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.051:2721791): avc:  denied  { read } for  pid=9003 comm="ls" name="rules.d" dev="dm-1" ino=67446812 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.058:2721794): arch=c000003e syscall=2 success=yes exit=3 a0=7fff7fe02f5a a1=0 a2=1fffffffffff0000 a3=7fff7fe026d0 items=0 ppid=9000 pid=9007 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cat" exe="/usr/bin/cat" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.058:2721794): avc:  denied  { open } for  pid=9007 comm="cat" path="/etc/audit/rules.d/audit.rules" dev="dm-1" ino=67446813 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1396438043.058:2721794): avc:  denied  { read } for  pid=9007 comm="cat" name="audit.rules" dev="dm-1" ino=67446813 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.058:2721795): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff7fe029d0 a2=7fff7fe029d0 a3=7fff7fe026d0 items=0 ppid=9000 pid=9007 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cat" exe="/usr/bin/cat" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.058:2721795): avc:  denied  { getattr } for  pid=9007 comm="cat" path="/etc/audit/rules.d/audit.rules" dev="dm-1" ino=67446813 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.078:2721796): arch=c000003e syscall=2 success=yes exit=4 a0=7fff9bed6f5f a1=c1 a2=1a0 a3=7fff9bed4b40 items=0 ppid=8998 pid=9009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.078:2721796): avc:  denied  { write open } for  pid=9009 comm="cp" path="/etc/audit/audit.rules.prev" dev="dm-1" ino=35239731 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file
type=AVC msg=audit(1396438043.078:2721796): avc:  denied  { create } for  pid=9009 comm="cp" name="audit.rules.prev" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file
type=AVC msg=audit(1396438043.078:2721796): avc:  denied  { add_name } for  pid=9009 comm="cp" name="audit.rules.prev" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir
type=AVC msg=audit(1396438043.078:2721796): avc:  denied  { write } for  pid=9009 comm="cp" name="audit" dev="dm-1" ino=33888130 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.078:2721797): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff9bed5090 a2=7fff9bed5090 a3=7fff9bed4b40 items=0 ppid=8998 pid=9009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.078:2721797): avc:  denied  { getattr } for  pid=9009 comm="cp" path="/etc/audit/audit.rules.prev" dev="dm-1" ino=35239731 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file
----
time->Wed Apr  2 13:27:23 2014
type=SYSCALL msg=audit(1396438043.080:2721798): arch=c000003e syscall=2 success=yes exit=4 a0=7fff6a474f64 a1=201 a2=0 a3=7fff6a4729a0 items=0 ppid=8998 pid=9010 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396438043.080:2721798): avc:  denied  { write } for  pid=9010 comm="cp" name="audit.rules" dev="dm-1" ino=33888132 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file

# ausearch -m AVC -ts recent | audit2allow 


#============= auditd_t ==============
allow auditd_t initrc_var_log_t:dir { read open };
allow auditd_t initrc_var_log_t:file { read open setattr };

#============= init_t ==============
allow init_t auditd_etc_t:dir { read write add_name };
allow init_t auditd_etc_t:file { read write getattr open create };

Expected results:

Service starts correctly.

Additional info:
Comment 1 Ondrej Moriš 2014-04-02 12:04:29 UTC 
After restoring context on /v/r/a/audit.log back to its correct value, auditd is starting again but augenrules still fails to work:

# service auditd restart
...
# service auditd status
Redirecting to /bin/systemctl status  auditd.service
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since Wed 2014-04-02 14:01:45 CEST; 1min 54s ago
  Process: 25359 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 9692 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
 Main PID: 9691 (auditd)
   CGroup: /system.slice/auditd.service
           └─9691 /sbin/auditd -n

Apr 02 14:01:45 cc-vtoe5.lab.eng.brq.redhat.com systemd[1]: Starting Security Auditing Service...
Apr 02 14:01:45 cc-vtoe5.lab.eng.brq.redhat.com augenrules[9692]: /bin/ls: cannot open directory /etc/audit/rules.d: Permission denied
Apr 02 14:01:45 cc-vtoe5.lab.eng.brq.redhat.com auditd[9691]: Init complete, auditd 2.3.3 listening for events (startup state enable)
Apr 02 14:01:45 cc-vtoe5.lab.eng.brq.redhat.com augenrules[9692]: cp: failed to access ‘/etc/audit/audit.rules’: Permission denied
Apr 02 14:01:45 cc-vtoe5.lab.eng.brq.redhat.com augenrules[9692]: No rules
Apr 02 14:01:45 cc-vtoe5.lab.eng.brq.redhat.com augenrules[9692]: AUDIT_STATUS: enabled=1 flag=1 pid=9691 rate_limit=0 backlog_limit=320 lost=2193184 backlog=1
Apr 02 14:01:45 cc-vtoe5.lab.eng.brq.redhat.com systemd[1]: Started Security Auditing Service.

# ausearch -m AVC -ts recent 
----
time->Wed Apr  2 14:01:45 2014
type=SYSCALL msg=audit(1396440105.281:2721856): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=218fc50 a2=90800 a3=0 items=0 ppid=9697 pid=9699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ls" exe="/usr/bin/ls" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396440105.281:2721856): avc:  denied  { read } for  pid=9699 comm="ls" name="rules.d" dev="dm-1" ino=67446812 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir
----
time->Wed Apr  2 14:01:45 2014
type=SYSCALL msg=audit(1396440105.285:2721857): arch=c000003e syscall=2 success=no exit=-13 a0=7fff1052ef62 a1=0 a2=0 a3=7fff1052e4c0 items=0 ppid=9692 pid=9701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cmp" exe="/usr/bin/cmp" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396440105.285:2721857): avc:  denied  { read } for  pid=9701 comm="cmp" name="audit.rules" dev="dm-1" ino=33888132 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
time->Wed Apr  2 14:01:45 2014
type=SYSCALL msg=audit(1396440105.285:2721858): arch=c000003e syscall=4 success=no exit=-13 a0=12e2a90 a1=7fffb98ea100 a2=7fffb98ea100 a3=8 items=0 ppid=1 pid=9692 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="augenrules" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396440105.285:2721858): avc:  denied  { getattr } for  pid=9692 comm="augenrules" path="/etc/audit/audit.rules" dev="dm-1" ino=33888132 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
time->Wed Apr  2 14:01:45 2014
type=SYSCALL msg=audit(1396440105.287:2721859): arch=c000003e syscall=4 success=no exit=-13 a0=7fff47253f64 a1=7fff47252f50 a2=7fff47252f50 a3=7fff47252c80 items=0 ppid=9692 pid=9702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1396440105.287:2721859): avc:  denied  { getattr } for  pid=9702 comm="cp" path="/etc/audit/audit.rules" dev="dm-1" ino=33888132 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
# ausearch -m AVC -ts recent | audit2allow 


#============= init_t ==============
allow init_t auditd_etc_t:dir read;
allow init_t auditd_etc_t:file { read getattr };
Comment 2 Ondrej Moriš 2014-04-02 13:27:42 UTC 
Mirek, it seems that we need also the following in the policy:

allow init_t auditd_etc_t:dir write;
Comment 3 Ondrej Moriš 2014-04-02 13:29:20 UTC 
(In reply to Ondrej Moriš from comment #2)
> Mirek, it seems that we need also the following in the policy:
> 
> allow init_t auditd_etc_t:dir write;

It is because augenrules needs to write into /e/a/audit.rules.
Comment 4 Ondrej Moriš 2014-04-06 21:46:21 UTC 
Successfully verified:

# rpm -q selinux-policy
selinux-policy-3.12.1-151.el7.noarch
# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
# service auditd status
Redirecting to /bin/systemctl status  auditd.service
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since Sun 2014-04-06 23:45:10 CEST; 4s ago
  Process: 5892 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
 Main PID: 5891 (auditd)
   CGroup: /system.slice/auditd.service
           └─5891 /sbin/auditd -n

Apr 06 23:45:10 cc-vtoe4.lab.eng.brq.redhat.com systemd[1]: Starting Security Auditing Service...
Apr 06 23:45:10 cc-vtoe4.lab.eng.brq.redhat.com augenrules[5892]: /sbin/augenrules: No change
Apr 06 23:45:10 cc-vtoe4.lab.eng.brq.redhat.com auditd[5891]: Init complete, auditd 2.3.3 liste...)
Apr 06 23:45:10 cc-vtoe4.lab.eng.brq.redhat.com augenrules[5892]: No rules
Apr 06 23:45:10 cc-vtoe4.lab.eng.brq.redhat.com augenrules[5892]: AUDIT_STATUS: enabled=1 flag=...1
Apr 06 23:45:10 cc-vtoe4.lab.eng.brq.redhat.com systemd[1]: Started Security Auditing Service.
Hint: Some lines were ellipsized, use -l to show in full.
# ausearch -m avc -ts recent -sv no
<no matches>
Comment 6 Ludek Smid 2014-06-13 10:24:48 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.