Bug 160050 - starting and stop auditd daemon
starting and stop auditd daemon
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
rawhide
noarch Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
:
: 160318 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-10 10:55 EDT by sangu
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: audit-0.9.19-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-16 09:34:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description sangu 2005-06-10 10:55:04 EDT
Description of problem:
== Booting ==
$dmesg
[...]
audit(1118409721.975:2): avc:  denied  { write } for  pid=2057 comm="auditd"
name=oom_adj dev=proc ino=134807579 scontext=system_u:system_r:auditd_t
tcontext=system_u:system_r:auditd_t tclass=file
[...]

== Shutdown ==

in /var/log/messages
[...]
Jun 10 22:20:39 sangu kernel: audit: *NO* daemon at audit_pid=5937
Jun 10 22:20:39 sangu kernel: audit(1118409639.416:15473838): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bf8b17f0 a2=80500f8 a3=0 items=0
pid=13948 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jun 10 22:20:39 sangu kernel: audit(1118409639.416:15473838):
saddr=100000000000000000000000
Jun 10 22:20:39 sangu kernel: audit(1118409639.416:15473838): nargs=6 a0=3
a1=bf8b1ce8 a2=10 a3=0 a4=bf8b21a8 a5=c
Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jun 10 22:20:39 sangu kernel: 
Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bf8b17d0 a2=80500f8 a3=0 items=0
pid=13948 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858):
saddr=10008A000000000000000000
Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858): nargs=6 a0=3
a1=bf8b1cc8 a2=10 a3=0 a4=bf8b2188 a5=c
[...]

$ls -Zla /sbin/audit*
-rwxr-x---  1 system_u:object_r:auditctl_exec_t root root 49296 Jun 10 03:36
/sbin/auditctl
-rwxr-x---  1 system_u:object_r:auditd_exec_t  root root 58052 Jun 10 03:36
/sbin/auditd


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-3

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
audit-0.9.3-1
Comment 1 Steve Grubb 2005-06-15 16:37:36 EDT
This is similar to bz 160318. The OOM killer avoidance item is not finalized, so
I would not change policy for that. Also, the file system auditing code is not
merged with the kernel, so there's no chance of writing policy for it at this
point. 

This report is against rawhide components which are not yet ready for mass
deployment. All of these items (and more) are being worked under another
bugzilla report. I'll leave this open in the mean time.
Comment 2 sangu 2005-06-21 08:24:40 EDT
$cat /proc/cmdline
ro root=LABEL=/ acpi=on video=vesafb:ywrap,mtrr:1600x1200@60 vga=0x346 rhgb audit=1

$dmesg | grep audit
Kernel command line: ro root=LABEL=/ acpi=on
video=vesafb:ywrap,mtrr:1600x1200@60 vga=0x346 rhgb audit=1
audit: enabled (after initialization)
audit: initializing netlink socket (enabled)
audit(1119388145.479:1): initialized

$service auditd restart
 
auditd 를 정지함:                                          [  확인  ]
Error sending netlink packet (Invalid argument)

Error sending list request (Invalid argument)
Error sending netlink packet (Invalid argument)

Error sending list request (Invalid argument)
auditd (을)를 시작합니다:                                  [  확인  ]
Error sending netlink packet (Invalid argument)

Error sending list request (Invalid argument)
Error sending netlink packet (Invalid argument)

Error sending list request (Invalid argument)

/var/log/audit/audit.log
[...]
type=DAEMON_END msg=audit(1119356135.272:596) auditd normal halt, sending
pid=3069 auid=4294967295, auditd pid=2056
type=DAEMON_START msg=audit(1119356135.399:607) auditd start, ver=0.9.10,
format=raw, auid=4294967295, auditd pid=3078
type=CONFIG_CHANGE msg=audit(1119356135.400:2298372): audit_enabled=1 old=1 by
auid=4294967295
type=SELINUX_ERR msg=audit(1119356135.418:2298484): SELinux:  unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1119356135.418:2298484): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bff01a20 a2=80510f8 a3=0 items=0 pid=3081
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1119356135.418:2298484): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1119356135.418:2298484): nargs=6 a0=4 a1=bff03b7c
a2=10 a3=0 a4=bff05d18 a5=c
type=SELINUX_ERR msg=audit(1119356135.418:2298546): SELinux:  unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1119356135.418:2298546): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bff01a00 a2=80510f8 a3=0 items=0 pid=3081
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1119356135.418:2298546): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1119356135.418:2298546): nargs=6 a0=4 a1=bff03b5c
a2=10 a3=0 a4=bff05cf8 a5=c
type=CONFIG_CHANGE msg=audit(1119356135.419:2298632): audit_backlog_limit=256
old=256 by auid=4294967295
type=CRED_ACQ msg=audit(1119356168.219:2357780): user pid=3116 uid=0
auid=4294967295 msg='PAM setcred: user=root exe="/usr/bin/sudo" (hostname=?,
addr=?, terminal=pts/2 result=Success)'
type=USER_START msg=audit(1119356168.219:2357839): user pid=3116 uid=0
auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/sudo"
(hostname=?, addr=?, terminal=pts/2 result=Success)'
type=USER_END msg=audit(1119356168.219:2357856): user pid=3116 uid=0
auid=4294967295 msg='PAM session close: user=root exe="/usr/bin/sudo"
(hostname=?, addr=?, terminal=pts/2 result=Success)'

$ dmesg | grep audit
Kernel command line: ro root=LABEL=/ acpi=on
video=vesafb:ywrap,mtrr:1600x1200@60 vga=0x346 rhgb audit=1
audit: enabled (after initialization)
audit: initializing netlink socket (enabled)
audit(1119388145.479:1): initialized
[...]
audit: *NO* daemon at audit_pid=2056
audit(1119356135.381:2297258): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf8171d0 a2=80510f8 a3=0 items=0 pid=3076 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
audit(1119356135.381:2297258): saddr=100000000000000000000000
audit(1119356135.381:2297258): nargs=6 a0=3 a1=bf81932c a2=10 a3=0 a4=bf81b4c8 a5=c
audit(1119356135.381:2297273): SELinux:  unrecognized netlink message type=1009
for sclass=49
audit(1119356135.381:2297273): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf8171b0 a2=80510f8 a3=0 items=0 pid=3076 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
audit(1119356135.381:2297273): saddr=100000000000000000000000
audit(1119356135.381:2297273): nargs=6 a0=3 a1=bf81930c a2=10 a3=0 a4=bf81b4a8 a5=c

----
audit-0.9.10-1 kernel-2.6.12-1.1387_FC5 selinux-policy-targeted-1.23.18-15

Comment 3 sangu 2005-06-21 08:27:39 EDT
*** Bug 160318 has been marked as a duplicate of this bug. ***
Comment 4 Steve Grubb 2005-07-15 12:59:08 EDT
audit-0.9.19 was put into FC4 testing & rawhide. Please give it a try and let me
know if this works for you. Thanks.
Comment 5 sangu 2005-07-16 09:34:48 EDT
start and stop auditd, no error message

Thank you, Steve Grubb!!!.

kernel-2.6.12-1.1433_FC5

-----
stop auditd, messages in dmesg
[...]
Jul 16 22:30:50 sangu auditd[11501]: The audit daemon is exiting.
Jul 16 22:30:50 sangu kernel: audit: *NO* daemon at audit_pid=11501
Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210429): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bf8dc1d0 a2=80510f8 a3=bf8e04c8 items=0
pid=11547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210429):
saddr=100000000000000000000000
Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210429): nargs=6 a0=3
a1=bf8de32c a2=10 a3=0 a4=bf8e04c8 a5=c
Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jul 16 22:30:50 sangu kernel:
Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bf8dc1c0 a2=80510f8 a3=bf8e04b8 items=0
pid=11547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440):
saddr=100000000000000000000000
Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440): nargs=6 a0=3
a1=bf8de31c a2=10 a3=0 a4=bf8e04b8 a5=c
[...]
start auditd, messages in dmesg
Jul 16 22:32:29 sangu kernel: audit(1121520749.966:1373436): user pid=11548
uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/usr/bin/sudo"
(hostname=?, addr=?, terminal=pts/4 result=Success)'
Jul 16 22:32:29 sangu kernel: audit(1121520749.966:1373495): user pid=11548
uid=0 auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/sudo"
(hostname=?, addr=?, terminal=pts/4 result=Success)'
Jul 16 22:32:29 sangu kernel: audit(1121520749.966:1373507): user pid=11548
uid=0 auid=4294967295 msg='PAM session close: user=root exe="/usr/bin/sudo"
(hostname=?, addr=?, terminal=pts/4 result=Success)'
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jul 16 22:32:30 sangu kernel:
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bfee0c50 a2=80510f8 a3=bfee4f48 items=0
pid=11560 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976):
saddr=100000000000000000000000
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976): nargs=6 a0=4
a1=bfee2dac a2=10 a3=0 a4=bfee4f48 a5=c
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jul 16 22:32:30 sangu kernel:
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bfee0c40 a2=80510f8 a3=bfee4f38 items=0
pid=11560 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998):
saddr=100000000000000000000000
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998): nargs=6 a0=4
a1=bfee2d9c a2=10 a3=0 a4=bfee4f38 a5=c
Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1375014):
audit_backlog_limit=256 old=256 by auid=4294967295
Jul 16 22:32:30 sangu auditd[11557]: Init complete, auditd 0.9.19 listening for
events

Note You need to log in before you can comment on or make changes to this bug.