163500 – shutdown error "localhost kernel: audit: *NO* daemon at audit_pid=1824"

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 163500 - shutdown error "localhost kernel: audit: *NO* daemon at audit_pid=1824"

Summary: shutdown error "localhost kernel: audit: *NO* daemon at audit_pid=1824"

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	audit
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Steve Grubb
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	164733 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-18 12:24 UTC by Andre Robatino
Modified:	2007-11-30 22:11 UTC (History)
CC List:	5 users (show)
Fixed In Version:	audit-1.0.2-2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-11 13:03:54 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andre Robatino 2005-07-18 12:24:21 UTC

Description of problem:
  Every time I shut down, I get the errors below in /var/log/messages.  The
first time it happened was after updating the audit package on July 12. 
Investigating showed that I had TWO versions of audit installed, audit-0.8.2-1
and audit-0.9.15-1.FC4 (though only the most recent  version of audit-libs). 
(This may be related to bug #161038 which involves up2date causing 2 versions of
NetworkManager to be installed; I also used up2date to update audit).  I erased
the older version with rpm -e, fixed the newer version with
rpm -Uvh --replacepkgs /var/spool/up2date/audit-0.9.15-1.FC4.i386.rpm
then used "rpm -q audit" and "rpm -V audit" to check that everything was now
installed correctly.  However, the shutdown errors, listed below, continue. 
(Also see bug #162446 which involves rpc.statd, I also experience this and
rpc.statd is stopped just before the audit messages.)

Jul 18 08:01:16 localhost rpc.statd[1810]: Caught signal 15, un-registering and
exiting.
Jul 18 08:01:16 localhost auditd[1824]: The audit daemon is exiting.
Jul 18 08:01:16 localhost kernel: audit: *NO* daemon at audit_pid=1824
Jul 18 08:01:16 localhost kernel: audit(1121688076.331:360988): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bfb3e070 a2=80510f8 a3=0 items=0 pid=3080
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
Jul 18 08:01:16 localhost kernel: audit(1121688076.331:360988):
saddr=100000000000000000000000
Jul 18 08:01:16 localhost kernel: audit(1121688076.331:360988): nargs=6 a0=3
a1=bfb401cc a2=10 a3=0 a4=bfb42368 a5=c
Jul 18 08:01:16 localhost kernel: audit(1121688076.431:361003): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jul 18 08:01:16 localhost kernel:
Jul 18 08:01:16 localhost kernel: audit(1121688076.431:361003): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bfb3e050 a2=80510f8 a3=0 items=0 pid=3080
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
Jul 18 08:01:16 localhost kernel: audit(1121688076.431:361003):
saddr=100000000000000000000000
Jul 18 08:01:16 localhost kernel: audit(1121688076.431:361003): nargs=6 a0=3
a1=bfb401ac a2=10 a3=0 a4=bfb42348 a5=c
Jul 18 08:01:16 localhost kernel: Kernel logging (proc) stopped.

Version-Release number of selected component (if applicable):
audit-0.9.15-1.FC4 (and maybe audit-0.8.2-1 if installed simultaneously)

How reproducible:
always

Steps to Reproduce:
1.  Update audit and audit-libs to the latest version using up2date.
  
Actual results:
  Two versions of audit installed, and the above error messages on shutdown,
persisting even when the borked package install is cleaned up.

Expected results:
  One version of audit installed, and no error messages.

Additional info:

Comment 1 petrosyan 2005-07-18 13:13:53 UTC

I can reproduce this bug exactly as described.

Comment 2 Andre Robatino 2005-07-18 13:41:38 UTC

  I downgraded audit (and audit-lib, pam, and pam-devel to satisfy dependencies)
to the original versions using rpm -Uvh --oldpackage.  The shutdown errors went
away.  Then I upgraded the packages back to the original versions using rpm -Fvh
(not up2date).  The update immediately gave the following errors.  Hence the
2-package bug and the audit errors are probably separate bugs.

Jul 18 09:30:14 localhost auditd[1824]: The audit daemon is exiting.
Jul 18 09:30:15 localhost kernel: audit: *NO* daemon at audit_pid=1824
Jul 18 09:30:15 localhost kernel: audit(1121693415.539:340917): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bf9de090 a2=80510f8 a3=0 items=0
pid=2670 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
Jul 18 09:30:15 localhost kernel: audit(1121693415.539:340917):
saddr=100000000000000000000000
Jul 18 09:30:15 localhost kernel: audit(1121693415.539:340917): nargs=6 a0=3
a1=bf9e01ec a2=10 a3=0 a4=bf9e2388 a5=c
Jul 18 09:30:15 localhost kernel: audit(1121693415.640:340932): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jul 18 09:30:15 localhost kernel:
Jul 18 09:30:15 localhost kernel: audit(1121693415.640:340932): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bf9de070 a2=80510f8 a3=0 items=0
pid=2670 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
Jul 18 09:30:15 localhost kernel: audit(1121693415.640:340932):
saddr=100000000000000000000000
Jul 18 09:30:15 localhost kernel: audit(1121693415.640:340932): nargs=6 a0=3
a1=bf9e01cc a2=10 a3=0 a4=bf9e2368 a5=c
Jul 18 09:30:15 localhost kernel: audit(1121693415.659:341310): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jul 18 09:30:15 localhost kernel:
Jul 18 09:30:15 localhost kernel: audit(1121693415.659:341310): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bfcc4010 a2=80510f8 a3=0 items=0
pid=2677 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
Jul 18 09:30:15 localhost kernel: audit(1121693415.659:341310):
saddr=100000000000000000000000
Jul 18 09:30:15 localhost kernel: audit(1121693415.659:341310): nargs=6 a0=4
a1=bfcc616c a2=10 a3=0 a4=bfcc8308 a5=c
Jul 18 09:30:15 localhost auditd[2674]: Init complete, auditd 0.9.15 listening
for events

Comment 3 Andre Robatino 2005-07-18 13:43:38 UTC

  Forgot to mention that the update using rpm -Fvh resulted in just one version
of each package being installed, as expected.

Comment 4 Steve Grubb 2005-07-18 13:47:18 UTC

This is not really a bug. Its harmless. What is happening is the audit system is
trying to remove any file system auditing watches so that unmount can proceed
cleanly. However, the file system watch patches for the kernel are still not
quite accepted upstream and consequently not compiled into the FC kernels. This
means it is making calls that SE Linux doesn't understand. SE Linux is what's
reporting the audit messages.

This should work itself out when the file system watch kernel patches are put in
and SE Linux policy updated.

Comment 5 Andre Robatino 2005-07-18 14:12:16 UTC

  In that case, the only remaining issue here is the double install of audit, so
this should probably be considered a duplicate of bug #161038, which should be
moved from NetworkManager to up2date (and maybe the title changed to something
like "up2date can cause packages to be installed twice").

Comment 6 Daniel Walsh 2005-08-01 13:48:48 UTC

*** Bug 164733 has been marked as a duplicate of this bug. ***

Comment 7 Steve Grubb 2005-08-10 13:10:23 UTC

The audit daemon is not setting audit pid to 0 as it shuts down. This may be
fixed in version 1.0.3 - which is under development. The fix will get rid of the
NO Audit Daemon message, but all the others will still be there. 

Using all the currently released software, it should be down to only a hwclock
message.

Comment 8 Steve Grubb 2005-08-11 13:03:54 UTC

Bug 165611 was opened to document the hwclock/initscripts problem. A fix was
placed in audit-1.0.2-2 to set auditd_pid to 0 in the kernel on normal shutdown.
I think this is is now solved. Thanks for reporting the bug.

Note You need to log in before you can comment on or make changes to this bug.