Bug 155400 - Auditd Fails to Start/Stop
Auditd Fails to Start/Stop
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-19 19:12 EDT by Gary A. McGee
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-24 08:46:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Audit Log (108.72 KB, text/plain)
2005-04-24 07:51 EDT, Gary A. McGee
no flags Details

  None (edit)
Description Gary A. McGee 2005-04-19 19:12:02 EDT
Description of problem:
Upon issuing, "service auditd start", or "service auditd stop" the following
console messages are received; "Starting auditd: [FAILED]" and, "Stopping
auditd: [FAILED]".  Additionally, /var/log/audit/audit.log is empty.

Version-Release number of selected component (if applicable):
audit-0.6.11-1

How reproducible:
Every time.

Steps to Reproduce:
1. Issue the command "service auditd start" or, "service auditd stop" as user root.

2.
3.
  
Actual results:
Auditd does not start. File /var/log/audit/audit.log is empty.


Expected results:
Auditd should start with log entries.


Additional info:
None
Comment 1 Steve Grubb 2005-04-19 19:50:14 EDT
Well...it works on my system. ;)

If you don't mind, edit /etc/sysconfig/auditd. Make the following change:

EXTRAOPTIONS="-f"

Then stop the audit daemon and start it. See if that tells us why it doesn't
want to start.

Thanks.
Comment 2 Gary A. McGee 2005-04-19 21:45:38 EDT
I followed the instructions from comment #1 and got the same results that I
initially reported.  I did observe that /etc/sysconfig/auditd contained the line: 

EXTRAOPTIONS=""

which I commented out before adding:

EXTRAOPTIONS="-f".

The file /var/log/audit/audit.log is still empty.
Comment 3 Gary A. McGee 2005-04-19 21:59:37 EDT
When I run "dmesg" I see following:

audit(1113962245.916:0): avc:  denied  { sys_nice } for  pid=4441
exe=/sbin/auditd capability=23 scontext=root:system_r:auditd_t
tcontext=root:system_r:auditd_t tclass=capability
Comment 4 Steve Grubb 2005-04-19 22:34:49 EDT
Thanks for the info. The problem looks like a SE Linux policy problem. I'll
forward this to the right person. You should get rid of the -f in EXTRAOPTIONS
now that you've gave me some information for troubleshooting.
Comment 5 Daniel Walsh 2005-04-20 10:06:24 EDT
Fixed in selinux-policy-*-1.23.11-4
Comment 6 Gary A. McGee 2005-04-21 14:26:08 EDT
I upgraded to selinux-policy-targeted-1.23.12-1, but the original problem was
not solved.

When I run "dmesg", I see the following message pertaining to auditd:

audit(1114106755.410:0): avc:  denied  { setsched } for  pid=2000
exe=/sbin/auditd scontext=user_u:system_r:auditd_t
tcontext=user_u:system_r:auditd_t tclass=process

FYI, I noticed these new messages as well.  I'm not sure if they're relevant to
this problem, but I want to bring them to your attention.  Please advise if this
is something for which I should create a new bug.

audit(1114106860.035:0): avc:  denied  { execmod } for  pid=4094
comm=firefox-bin path=/home/gamcgee/.mozilla/plugins/libflashplayer.so dev=hda9
ino=1056003 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:default_t tclass=file

audit(1114106860.110:0): avc:  denied  { execmod } for  pid=4094
comm=firefox-bin path=/home/gamcgee/.mozilla/plugins/libflashplayer.so dev=hda9
ino=1056003 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:default_t tclass=file

audit(1114106877.172:0): avc:  denied  { write } for  pid=4242 exe=/bin/cp
name=resolv.conf.predhclient dev=hda10 ino=64142
scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:etc_t tclass=file

audit(1114106877.173:0): avc:  denied  { unlink } for  pid=4242 exe=/bin/cp
name=resolv.conf.predhclient dev=hda10 ino=64142
scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:etc_t tclass=file
Comment 7 Tom Diehl 2005-04-21 22:50:31 EDT
On my system I am getting the following messages:
audit(1114135505.291:0): avc:  denied  { sys_admin } for  pid=1850
exe=/sbin/consoletype capability=21 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:system_r:dhcpc_t tclass=capability
audit(1114135513.089:0): avc:  denied  { sys_admin } for  pid=1880
exe=/sbin/consoletype capability=21 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:system_r:dhcpc_t tclass=capability
audit(1114135513.413:0): avc:  denied  { rename } for  pid=1924 exe=/bin/mv
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.417:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.417:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.621:0): avc:  denied  { sys_admin } for  pid=1937
exe=/sbin/consoletype capability=21 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:system_r:dhcpc_t tclass=capability
audit(1114135515.615:0): avc:  denied  { setsched } for  pid=2020
exe=/sbin/auditd scontext=user_u:system_r:auditd_t
tcontext=user_u:system_r:auditd_t tclass=process

(bullwinkle pts9) # rpm -qa |grep selinux
selinux-policy-targeted-1.23.12-1
libselinux-1.23.7-2
libselinux-devel-1.23.7-2
(bullwinkle pts9) #
Comment 8 Gary A. McGee 2005-04-24 07:51:00 EDT
Created attachment 113593 [details]
Audit Log
Comment 9 Gary A. McGee 2005-04-24 07:52:43 EDT
Auditd seems to start up now.  The attachment above is a copy of
/var/log/audit/audit.log.
Comment 10 Steve Grubb 2005-04-24 08:46:39 EDT
Thanks for reporting this problem. Closing it since its fixed.
Comment 11 Ville Skyttä 2005-04-25 02:54:27 EDT
ntp.conf and friends avc denied messages -> bug 155855.

Note You need to log in before you can comment on or make changes to this bug.