1780332 – Audit daemon does not halt the system when the audit partition is full

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1780332 - Audit daemon does not halt the system when the audit partition is full

Summary: Audit daemon does not halt the system when the audit partition is full

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.7
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	7.9
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1826788
TreeView+	depends on / blocked

Reported:	2019-12-05 17:26 UTC by Iambchop
Modified:	2024-03-25 15:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	.SELinux no longer prevents `auditd` to halt or power off the system Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start a `power_unit_file_t` `systemd` unit. Consequently, `auditd` could not halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition. With this update, the missing rule has been added to the SELinux policy. As a result, `auditd` can now halt or power off the system.
Clone Of:
Clones:	1826788 (view as bug list)
Environment:
Last Closed:	2020-09-29 19:55:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5610301	0	None	None	None	2020-12-01 02:36:16 UTC
Red Hat Product Errata	RHBA-2020:3925	0	None	None	None	2020-09-29 19:55:44 UTC

Description Iambchop 2019-12-05 17:26:33 UTC

Description of problem:

Audit daemon does not halt the system when the audit partition is full.  The message is logged:

    "The audit daemon is now halting the system due to no space left on logging partition"

but, the system continues to run.

Version-Release number of selected component (if applicable):

Reproduced on various cloud images including: RHEL 7.7 [1911]

How reproducible:

Reproduced on various cloud image versions running locally and on EC2.

Steps to Reproduce:
1. Set "disk_full_action = HALT"
2. Fill audit partition, e.g. dd
3. System should halt

Actual results:

At step 3 the system logs a message that it is now halting, but continues to run.

Expected results:

At step 3 the system should halt.

Additional info:

Disabling the auditd systemd service and manually launching /sbin/auditd results in the system halting properly.

With the daemon:

[root@foo ~]# service auditd status
Redirecting to /bin/systemctl status auditd.service
� auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-12-05 12:12:54 EST; 7min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 520 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 511 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 515 (auditd)
   CGroup: /system.slice/auditd.service
           ��515 /sbin/auditd

Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition
Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition
[root@foo ~]# date ; uptime
Thu Dec  5 12:20:24 EST 2019
 12:20:24 up 7 min,  2 users,  load average: 0.39, 1.09, 0.68


Stop the daemon, free up space, and start again by hand:

[root@foo ~]# /sbin/auditd ; while df /; do sleep 10; done
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960164        72 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960144        92 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960168        68 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960172        64 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960156        80 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960160        76 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960160        76 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960188        48 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960172        64 100% /
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/vda1       20960236 20960180        56 100% /
Connection to 172.16.253.163 closed by remote host.
Connection to 172.16.253.163 closed.

Comment 2 Steve Grubb 2019-12-05 17:56:37 UTC

By any chance, are there AVC's during this time?

Comment 3 Iambchop 2019-12-05 19:35:03 UTC

avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target

type=USER_AVC msg=audit(1575574335.825:101): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1575574335.826:102): avc:  denied  { read } for  pid=1773 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.826:103): avc:  denied  { read } for  pid=1773 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.828:104): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.828:105): avc:  denied  { read } for  pid=1772 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.828:106): avc:  denied  { read } for  pid=1772 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.933:107): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.933:108): avc:  denied  { read } for  pid=1789 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.933:109): avc:  denied  { read } for  pid=1789 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.936:110): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.937:111): avc:  denied  { read } for  pid=1788 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.937:112): avc:  denied  { read } for  pid=1788 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.946:113): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=USER_AVC msg=audit(1575574335.948:114): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=USER_AVC msg=audit(1575574335.951:115): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.951:116): avc:  denied  { read } for  pid=1784 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.951:117): avc:  denied  { read } for  pid=1784 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.956:118): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.956:119): avc:  denied  { read } for  pid=1782 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.956:120): avc:  denied  { read } for  pid=1782 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.958:121): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.959:122): avc:  denied  { read } for  pid=1787 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.959:123): avc:  denied  { read } for  pid=1787 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.961:124): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.962:125): avc:  denied  { read } for  pid=1786 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.962:126): avc:  denied  { read } for  pid=1786 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.963:127): avc:  denied  { read } for  pid=1785 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.963:128): avc:  denied  { read } for  pid=1785 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.964:129): avc:  denied  { read } for  pid=1783 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.964:130): avc:  denied  { read } for  pid=1783 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.972:131): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.972:132): avc:  denied  { read } for  pid=1781 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.972:133): avc:  denied  { read } for  pid=1781 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574335.978:134): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574335.978:135): avc:  denied  { read } for  pid=1780 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574335.978:136): avc:  denied  { read } for  pid=1780 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574336.109:137): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=USER_AVC msg=audit(1575574336.112:138): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=USER_AVC msg=audit(1575574336.114:139): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574336.121:140): avc:  denied  { read } for  pid=1799 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.122:141): avc:  denied  { read } for  pid=1799 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.123:142): avc:  denied  { read } for  pid=1797 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.123:143): avc:  denied  { read } for  pid=1797 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.123:144): avc:  denied  { read } for  pid=1798 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.124:145): avc:  denied  { read } for  pid=1798 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574336.140:146): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574336.141:147): avc:  denied  { read } for  pid=1796 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.141:148): avc:  denied  { read } for  pid=1796 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574336.143:149): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574336.143:150): avc:  denied  { read } for  pid=1794 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.143:151): avc:  denied  { read } for  pid=1794 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=USER_AVC msg=audit(1575574336.201:152): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=USER_AVC msg=audit(1575574336.203:153): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'  
type=AVC msg=audit(1575574336.207:154): avc:  denied  { read } for  pid=1792 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.207:155): avc:  denied  { read } for  pid=1792 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336.207:156): avc:  denied  { read } for  pid=1793 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1575574336

Comment 4 Steve Grubb 2019-12-05 19:53:59 UTC

I suspect the AVC's are the problem. You can probably put the system into permissive mode for testing. Just run "setenforce 0" and then retest.

The above reduces down to:

#============= auditd_t ==============
allow auditd_t initrc_var_run_t:file read;
allow auditd_t power_unit_file_t:service start;

I'll transfer this bz to selinux-policy so that it can be fixed.

Comment 5 Lukas Vrabec 2020-01-16 12:55:46 UTC

This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Red Hat Enterprise Linux 7 is in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 6 Iambchop 2020-01-16 23:47:56 UTC

A small number of use-cases.  But very important use-cases:

* https://access.redhat.com/articles/2918071
* https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72081

Comment 7 Steve Grubb 2020-01-17 14:50:12 UTC

It is a requirement in Common Criteria, FAU_STG.4 Prevention of audit data loss, that requires the audit system take action if it is unable to record audit events. On the SCAP side, there is also, AU-5 RESPONSE TO AUDIT PROCESSING FAILURES, which also has the same requirements. It says:

The information system:
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken
(e.g., shut down information system, overwrite oldest audit records, stop generating audit
records)].

It's this first item that high security organizations need. They would rather lose access to a system than allow unaudited access. Some scenarios are so sensitive that they must know everyone that accessed something and when and what they did. Suppose a system contains evidence for a legal proceeding. If someone realizes that auditing is not working, they could delete evidence needed for the trial and change the outcome.

This might be z-stream worthy.

Comment 9 Zdenek Pytela 2020-03-05 16:58:52 UTC

I've submitted a Fedora PR to address the issue:

https://github.com/fedora-selinux/selinux-policy/pull/331

Comment 20 errata-xmlrpc 2020-09-29 19:55:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3925

Note You need to log in before you can comment on or make changes to this bug.