Description of problem: When booting, the message Sep 23 04:59:34 localhost nscd: 1882 Failed opening connection to the audit subsystem appears in /var/log/messages. Version-Release number of selected component (if applicable): nscd-2.3.5-10.3 How reproducible: always Additional info: All FC4 updates up to and including Sep. 22 applied.
I can reproduce this, though strangely only when running nscd via sudo /sbin/service nscd start, not when running sudo /usr/sbin/nscd by hand. Unfortunately, the problem goes away when trying to strace it. So I guess it is either a libaudit bug, or kernel auditing problem. nscd just calls audit_open, and from what I can see that's before dropping priviledges, so that shouldn't be a problem on the nscd side.
Does this problem still occur when audit-libs-1.0.4 are installed? It gives the errno in a message when it cannot open the netlink socket. It should be immediately before the message in the problem description.
i386/audit-libs-1.0.4-1.fc4.i386.rpm x86_64/audit-libs-1.0.4-1.fc4.x86_64.rpm x86_64/nscd-2.3.5-10.3.x86_64.rpm sudo /sbin/service nscd stop sudo /sbin/service auditd stop sudo /sbin/service auditd start sudo /sbin/service nscd start sudo tail -3 /var/log/messages Sep 27 18:22:59 hammer auditd[10073]: Init complete, auditd 1.0.4 listening for events Sep 27 18:23:04 hammer nscd: 10089 Access Vector Cache (AVC) started Sep 27 18:23:04 hammer nscd: 10089 Failed opening connection to the audit subsystem
OK, I see why there's no message. We made some changes to quieten pam. There's 2 ways to get the message. We can either add: @@ -115,6 +115,7 @@ static void audit_init (void) { + set_aumessage_mode(MSG_SYSLOG, DBG_NO); audit_fd = audit_open (); in selinux.c or add strerror(errno) to the failed opening connection message. This doesn't solve the problem, but gives the user more information so they can decide if its really a problem or an explained condition. If we change the audit message mode, there will likely be other messages that become visible if there are problems sending avc messages to the audit system. Its hard to say without running which way is best.
No change with kernel-2.6.13-1.1526_FC4.
The last time I saw this specific error message was on Oct. 3, when I got the following: Oct 3 12:09:40 localhost nscd: 1793 Failed opening connection to the audit subsystem Oct 3 14:33:50 localhost nscd: Can't send to audit system: USER_AVC pid=1793 uid=28 loginuid=-1 message=avc: received policyload notice (seqno=2) Oct 3 14:33:50 localhost nscd: Can't send to audit system: USER_AVC pid=1793 uid=28 loginuid=-1 message=avc: 7 AV entries and 7/512 buckets used, longest chain length 1 On Oct. 17, I got the following: Oct 17 17:01:28 localhost nscd: Can't send to audit system: USER_AVC pid=1794 uid=28 loginuid=-1 message=avc: received policyload notice (seqno=2) Oct 17 17:01:28 localhost nscd: Can't send to audit system: USER_AVC pid=1794 uid=28 loginuid=-1 message=avc: 7 AV entries and 7/512 buckets used, longest chain length 1 But I shutdown/reboot at least once daily and these are the only occurrences. I am currently running kernel-2.6.13-1.1532_FC4.
I got such messages here today on an RHEL4U2 running selinux-policy-targeted-1.17.30-2.123 Jan 23 16:02:28 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28 loginuid=-1 message=avc: received policyload notice (seqno=1) Jan 23 16:02:28 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28 loginuid=-1 message=avc: 8 AV entries and 8/512 buckets used, longest chain length 1 Jan 23 16:54:10 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28 loginuid=-1 message=avc: received policyload notice (seqno=2) Jan 23 16:54:10 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28 loginuid=-1 message=avc: 6 AV entries and 6/512 buckets used, longest chain length 1 Jan 23 16:56:16 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28 loginuid=-1 message=avc: received setenforce notice (enforcing=1) note that auditd is not running (startup disabled) - is this the reason?
regarding comment #7, the audit daemon doesn't have anything to do with this. nscd needs to have CAP_AUDIT_WRITE permissions.
Should I file a bug against RHEL4?
Sure. We need to create a patch for it.
Can't file a bug for "nscd" on RHEL4, looks like the problem in the web interface (missing entry "nscd" in list) is still not resolved :-(
Regarding comment #1, either file it on glibc since that's the base package or audit and I'll reassign it. Thanks.
Created attachment 127955 [details] Let nscd keep the AUDIT write privs. This is the patch steve was talking about in comment #10, feel free to comment Jakub if you want any changes.
I added a variant of the patch upstream. Should be in the next rawhide version.
This bug is being closed since it appears to be in rawhide. Thanks everyone !