Bug 169148 - localhost nscd: 1882 Failed opening connection to the audit subsystem
localhost nscd: 1882 Failed opening connection to the audit subsystem
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-23 13:23 EDT by Andre Robatino
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-02 08:59:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Let nscd keep the AUDIT write privs. (10.51 KB, patch)
2006-04-18 18:07 EDT, James Antill
no flags Details | Diff

  None (edit)
Description Andre Robatino 2005-09-23 13:23:39 EDT
Description of problem:
  When booting, the message

Sep 23 04:59:34 localhost nscd: 1882 Failed opening connection to the audit
subsystem

appears in /var/log/messages.

Version-Release number of selected component (if applicable):
nscd-2.3.5-10.3

How reproducible:
always

Additional info:
  All FC4 updates up to and including Sep. 22 applied.
Comment 1 Jakub Jelinek 2005-09-27 11:33:37 EDT
I can reproduce this, though strangely only when running nscd via
sudo /sbin/service nscd start, not when running sudo /usr/sbin/nscd by hand.
Unfortunately, the problem goes away when trying to strace it.
So I guess it is either a libaudit bug, or kernel auditing problem.
nscd just calls audit_open, and from what I can see that's before dropping
priviledges, so that shouldn't be a problem on the nscd side.
Comment 2 Steve Grubb 2005-09-27 11:47:34 EDT
Does this problem still occur when audit-libs-1.0.4 are installed? It gives the
errno in a message when it cannot open the netlink socket. It should be
immediately before the message in the problem description.
Comment 3 Jakub Jelinek 2005-09-27 12:22:50 EDT
i386/audit-libs-1.0.4-1.fc4.i386.rpm
x86_64/audit-libs-1.0.4-1.fc4.x86_64.rpm
x86_64/nscd-2.3.5-10.3.x86_64.rpm

sudo /sbin/service nscd stop
sudo /sbin/service auditd stop
sudo /sbin/service auditd start
sudo /sbin/service nscd start
sudo tail -3 /var/log/messages
Sep 27 18:22:59 hammer auditd[10073]: Init complete, auditd 1.0.4 listening for
events
Sep 27 18:23:04 hammer nscd: 10089 Access Vector Cache (AVC) started
Sep 27 18:23:04 hammer nscd: 10089 Failed opening connection to the audit
subsystem
Comment 4 Steve Grubb 2005-09-27 12:46:08 EDT
OK, I see why there's no message. We made some changes to quieten pam. There's 2
ways to get the message. We can either add:
@@ -115,6 +115,7 @@
 static void
 audit_init (void)
 {
+  set_aumessage_mode(MSG_SYSLOG, DBG_NO);
   audit_fd = audit_open ();

in selinux.c

or add strerror(errno) to the failed opening connection message. This doesn't
solve the problem, but gives the user more information so they can decide if its
really a problem or an explained condition. If we change the audit message mode,
there will likely be other messages that become visible if there are problems
sending avc messages to the audit system. Its hard to say without running which
way is best.
Comment 5 Andre Robatino 2005-09-30 13:24:19 EDT
  No change with kernel-2.6.13-1.1526_FC4.
Comment 6 Andre Robatino 2005-10-20 22:25:21 EDT
  The last time I saw this specific error message was on Oct. 3, when I got the
following:

Oct  3 12:09:40 localhost nscd: 1793 Failed opening connection to the audit
subsystem
Oct  3 14:33:50 localhost nscd: Can't send to audit system: USER_AVC pid=1793
uid=28 loginuid=-1 message=avc:  received policyload notice (seqno=2)
Oct  3 14:33:50 localhost nscd: Can't send to audit system: USER_AVC pid=1793
uid=28 loginuid=-1 message=avc:  7 AV entries and 7/512 buckets used, longest
chain length 1

  On Oct. 17, I got the following:

Oct 17 17:01:28 localhost nscd: Can't send to audit system: USER_AVC pid=1794
uid=28 loginuid=-1 message=avc:  received policyload notice (seqno=2)
Oct 17 17:01:28 localhost nscd: Can't send to audit system: USER_AVC pid=1794
uid=28 loginuid=-1 message=avc:  7 AV entries and 7/512 buckets used, longest
chain length 1

  But I shutdown/reboot at least once daily and these are the only occurrences.
 I am currently running kernel-2.6.13-1.1532_FC4.
Comment 7 Peter Bieringer 2006-01-23 11:07:10 EST
I got such messages here today on an RHEL4U2 running
selinux-policy-targeted-1.17.30-2.123


Jan 23 16:02:28 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  received policyload notice (seqno=1)
Jan 23 16:02:28 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  8 AV entries and 8/512 buckets used, longest chain
length 1
Jan 23 16:54:10 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  received policyload notice (seqno=2)
Jan 23 16:54:10 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  6 AV entries and 6/512 buckets used, longest chain
length 1
Jan 23 16:56:16 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  received setenforce notice (enforcing=1)

note that auditd is not running (startup disabled) - is this the reason?
Comment 8 Steve Grubb 2006-01-23 11:13:10 EST
regarding comment #7, the audit daemon doesn't have anything to do with this.
nscd needs to have CAP_AUDIT_WRITE permissions.
Comment 9 Peter Bieringer 2006-01-23 11:17:05 EST
Should I file a bug against RHEL4?
Comment 10 Steve Grubb 2006-01-23 11:20:39 EST
Sure. We need to create a patch for it.
Comment 11 Peter Bieringer 2006-01-24 12:51:12 EST
Can't file a bug for "nscd" on RHEL4, looks like the problem in the web
interface  (missing entry "nscd" in list) is still not resolved :-(
Comment 12 Steve Grubb 2006-01-25 08:16:20 EST
Regarding comment #1, either file it on glibc since that's the base package or
audit and I'll reassign it. Thanks.
Comment 13 James Antill 2006-04-18 18:07:45 EDT
Created attachment 127955 [details]
Let nscd keep the AUDIT write privs.

 This is the patch steve was talking about in comment #10, feel free to comment
Jakub if you want any changes.
Comment 14 Ulrich Drepper 2006-04-26 12:26:37 EDT
I added a variant of the patch upstream.  Should be in the next rawhide version.
Comment 15 Steve Grubb 2006-05-02 08:59:24 EDT
This bug is being closed since it appears to be in rawhide. Thanks everyone !

Note You need to log in before you can comment on or make changes to this bug.