Description of problem: == Booting == $dmesg [...] audit(1118409721.975:2): avc: denied { write } for pid=2057 comm="auditd" name=oom_adj dev=proc ino=134807579 scontext=system_u:system_r:auditd_t tcontext=system_u:system_r:auditd_t tclass=file [...] == Shutdown == in /var/log/messages [...] Jun 10 22:20:39 sangu kernel: audit: *NO* daemon at audit_pid=5937 Jun 10 22:20:39 sangu kernel: audit(1118409639.416:15473838): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bf8b17f0 a2=80500f8 a3=0 items=0 pid=13948 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jun 10 22:20:39 sangu kernel: audit(1118409639.416:15473838): saddr=100000000000000000000000 Jun 10 22:20:39 sangu kernel: audit(1118409639.416:15473838): nargs=6 a0=3 a1=bf8b1ce8 a2=10 a3=0 a4=bf8b21a8 a5=c Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858): SELinux: unrecognized netlink message type=1009 for sclass=49 Jun 10 22:20:39 sangu kernel: Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bf8b17d0 a2=80500f8 a3=0 items=0 pid=13948 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858): saddr=10008A000000000000000000 Jun 10 22:20:39 sangu kernel: audit(1118409639.620:15473858): nargs=6 a0=3 a1=bf8b1cc8 a2=10 a3=0 a4=bf8b2188 a5=c [...] $ls -Zla /sbin/audit* -rwxr-x--- 1 system_u:object_r:auditctl_exec_t root root 49296 Jun 10 03:36 /sbin/auditctl -rwxr-x--- 1 system_u:object_r:auditd_exec_t root root 58052 Jun 10 03:36 /sbin/auditd Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.18-3 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: audit-0.9.3-1
This is similar to bz 160318. The OOM killer avoidance item is not finalized, so I would not change policy for that. Also, the file system auditing code is not merged with the kernel, so there's no chance of writing policy for it at this point. This report is against rawhide components which are not yet ready for mass deployment. All of these items (and more) are being worked under another bugzilla report. I'll leave this open in the mean time.
$cat /proc/cmdline ro root=LABEL=/ acpi=on video=vesafb:ywrap,mtrr:1600x1200@60 vga=0x346 rhgb audit=1 $dmesg | grep audit Kernel command line: ro root=LABEL=/ acpi=on video=vesafb:ywrap,mtrr:1600x1200@60 vga=0x346 rhgb audit=1 audit: enabled (after initialization) audit: initializing netlink socket (enabled) audit(1119388145.479:1): initialized $service auditd restart auditd 를 ì ì§í¨: [ íì¸ ] Error sending netlink packet (Invalid argument) Error sending list request (Invalid argument) Error sending netlink packet (Invalid argument) Error sending list request (Invalid argument) auditd (ì)를 ììí©ëë¤: [ íì¸ ] Error sending netlink packet (Invalid argument) Error sending list request (Invalid argument) Error sending netlink packet (Invalid argument) Error sending list request (Invalid argument) /var/log/audit/audit.log [...] type=DAEMON_END msg=audit(1119356135.272:596) auditd normal halt, sending pid=3069 auid=4294967295, auditd pid=2056 type=DAEMON_START msg=audit(1119356135.399:607) auditd start, ver=0.9.10, format=raw, auid=4294967295, auditd pid=3078 type=CONFIG_CHANGE msg=audit(1119356135.400:2298372): audit_enabled=1 old=1 by auid=4294967295 type=SELINUX_ERR msg=audit(1119356135.418:2298484): SELinux: unrecognized netlink message type=1009 for sclass=49 type=SYSCALL msg=audit(1119356135.418:2298484): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bff01a20 a2=80510f8 a3=0 items=0 pid=3081 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" type=SOCKADDR msg=audit(1119356135.418:2298484): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1119356135.418:2298484): nargs=6 a0=4 a1=bff03b7c a2=10 a3=0 a4=bff05d18 a5=c type=SELINUX_ERR msg=audit(1119356135.418:2298546): SELinux: unrecognized netlink message type=1009 for sclass=49 type=SYSCALL msg=audit(1119356135.418:2298546): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bff01a00 a2=80510f8 a3=0 items=0 pid=3081 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" type=SOCKADDR msg=audit(1119356135.418:2298546): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1119356135.418:2298546): nargs=6 a0=4 a1=bff03b5c a2=10 a3=0 a4=bff05cf8 a5=c type=CONFIG_CHANGE msg=audit(1119356135.419:2298632): audit_backlog_limit=256 old=256 by auid=4294967295 type=CRED_ACQ msg=audit(1119356168.219:2357780): user pid=3116 uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/2 result=Success)' type=USER_START msg=audit(1119356168.219:2357839): user pid=3116 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/2 result=Success)' type=USER_END msg=audit(1119356168.219:2357856): user pid=3116 uid=0 auid=4294967295 msg='PAM session close: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/2 result=Success)' $ dmesg | grep audit Kernel command line: ro root=LABEL=/ acpi=on video=vesafb:ywrap,mtrr:1600x1200@60 vga=0x346 rhgb audit=1 audit: enabled (after initialization) audit: initializing netlink socket (enabled) audit(1119388145.479:1): initialized [...] audit: *NO* daemon at audit_pid=2056 audit(1119356135.381:2297258): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bf8171d0 a2=80510f8 a3=0 items=0 pid=3076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" audit(1119356135.381:2297258): saddr=100000000000000000000000 audit(1119356135.381:2297258): nargs=6 a0=3 a1=bf81932c a2=10 a3=0 a4=bf81b4c8 a5=c audit(1119356135.381:2297273): SELinux: unrecognized netlink message type=1009 for sclass=49 audit(1119356135.381:2297273): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bf8171b0 a2=80510f8 a3=0 items=0 pid=3076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" audit(1119356135.381:2297273): saddr=100000000000000000000000 audit(1119356135.381:2297273): nargs=6 a0=3 a1=bf81930c a2=10 a3=0 a4=bf81b4a8 a5=c ---- audit-0.9.10-1 kernel-2.6.12-1.1387_FC5 selinux-policy-targeted-1.23.18-15
*** Bug 160318 has been marked as a duplicate of this bug. ***
audit-0.9.19 was put into FC4 testing & rawhide. Please give it a try and let me know if this works for you. Thanks.
start and stop auditd, no error message Thank you, Steve Grubb!!!. kernel-2.6.12-1.1433_FC5 ----- stop auditd, messages in dmesg [...] Jul 16 22:30:50 sangu auditd[11501]: The audit daemon is exiting. Jul 16 22:30:50 sangu kernel: audit: *NO* daemon at audit_pid=11501 Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210429): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bf8dc1d0 a2=80510f8 a3=bf8e04c8 items=0 pid=11547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210429): saddr=100000000000000000000000 Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210429): nargs=6 a0=3 a1=bf8de32c a2=10 a3=0 a4=bf8e04c8 a5=c Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440): SELinux: unrecognized netlink message type=1009 for sclass=49 Jul 16 22:30:50 sangu kernel: Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bf8dc1c0 a2=80510f8 a3=bf8e04b8 items=0 pid=11547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440): saddr=100000000000000000000000 Jul 16 22:30:50 sangu kernel: audit(1121520650.948:1210440): nargs=6 a0=3 a1=bf8de31c a2=10 a3=0 a4=bf8e04b8 a5=c [...] start auditd, messages in dmesg Jul 16 22:32:29 sangu kernel: audit(1121520749.966:1373436): user pid=11548 uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/4 result=Success)' Jul 16 22:32:29 sangu kernel: audit(1121520749.966:1373495): user pid=11548 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/4 result=Success)' Jul 16 22:32:29 sangu kernel: audit(1121520749.966:1373507): user pid=11548 uid=0 auid=4294967295 msg='PAM session close: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/4 result=Success)' Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976): SELinux: unrecognized netlink message type=1009 for sclass=49 Jul 16 22:32:30 sangu kernel: Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfee0c50 a2=80510f8 a3=bfee4f48 items=0 pid=11560 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976): saddr=100000000000000000000000 Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374976): nargs=6 a0=4 a1=bfee2dac a2=10 a3=0 a4=bfee4f48 a5=c Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998): SELinux: unrecognized netlink message type=1009 for sclass=49 Jul 16 22:32:30 sangu kernel: Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfee0c40 a2=80510f8 a3=bfee4f38 items=0 pid=11560 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998): saddr=100000000000000000000000 Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1374998): nargs=6 a0=4 a1=bfee2d9c a2=10 a3=0 a4=bfee4f38 a5=c Jul 16 22:32:30 sangu kernel: audit(1121520750.006:1375014): audit_backlog_limit=256 old=256 by auid=4294967295 Jul 16 22:32:30 sangu auditd[11557]: Init complete, auditd 0.9.19 listening for events