Description of problem: Audit daemon does not halt the system when the audit partition is full. The message is logged: "The audit daemon is now halting the system due to no space left on logging partition" but, the system continues to run. Version-Release number of selected component (if applicable): Reproduced on various cloud images including: RHEL 7.7 [1911] How reproducible: Reproduced on various cloud image versions running locally and on EC2. Steps to Reproduce: 1. Set "disk_full_action = HALT" 2. Fill audit partition, e.g. dd 3. System should halt Actual results: At step 3 the system logs a message that it is now halting, but continues to run. Expected results: At step 3 the system should halt. Additional info: Disabling the auditd systemd service and manually launching /sbin/auditd results in the system halting properly. With the daemon: [root@foo ~]# service auditd status Redirecting to /bin/systemctl status auditd.service � auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-12-05 12:12:54 EST; 7min ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 520 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 511 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 515 (auditd) CGroup: /system.slice/auditd.service ��515 /sbin/auditd Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: Audit daemon has no space left on logging partition Dec 05 12:19:48 foo.novalocal auditd[515]: The audit daemon is now halting the system due to no space left on logging partition [root@foo ~]# date ; uptime Thu Dec 5 12:20:24 EST 2019 12:20:24 up 7 min, 2 users, load average: 0.39, 1.09, 0.68 Stop the daemon, free up space, and start again by hand: [root@foo ~]# /sbin/auditd ; while df /; do sleep 10; done Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960164 72 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960144 92 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960168 68 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960172 64 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960156 80 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960160 76 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960160 76 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960188 48 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960172 64 100% / Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 20960236 20960180 56 100% / Connection to 172.16.253.163 closed by remote host. Connection to 172.16.253.163 closed.
By any chance, are there AVC's during this time?
avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target type=USER_AVC msg=audit(1575574335.825:101): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.826:102): avc: denied { read } for pid=1773 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.826:103): avc: denied { read } for pid=1773 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.828:104): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.828:105): avc: denied { read } for pid=1772 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.828:106): avc: denied { read } for pid=1772 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.933:107): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.933:108): avc: denied { read } for pid=1789 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.933:109): avc: denied { read } for pid=1789 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.936:110): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.937:111): avc: denied { read } for pid=1788 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.937:112): avc: denied { read } for pid=1788 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.946:113): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1575574335.948:114): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1575574335.951:115): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.951:116): avc: denied { read } for pid=1784 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.951:117): avc: denied { read } for pid=1784 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.956:118): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.956:119): avc: denied { read } for pid=1782 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.956:120): avc: denied { read } for pid=1782 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.958:121): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.959:122): avc: denied { read } for pid=1787 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.959:123): avc: denied { read } for pid=1787 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.961:124): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.962:125): avc: denied { read } for pid=1786 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.962:126): avc: denied { read } for pid=1786 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.963:127): avc: denied { read } for pid=1785 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.963:128): avc: denied { read } for pid=1785 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.964:129): avc: denied { read } for pid=1783 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.964:130): avc: denied { read } for pid=1783 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.972:131): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.972:132): avc: denied { read } for pid=1781 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.972:133): avc: denied { read } for pid=1781 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574335.978:134): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574335.978:135): avc: denied { read } for pid=1780 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574335.978:136): avc: denied { read } for pid=1780 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574336.109:137): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1575574336.112:138): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1575574336.114:139): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574336.121:140): avc: denied { read } for pid=1799 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.122:141): avc: denied { read } for pid=1799 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.123:142): avc: denied { read } for pid=1797 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.123:143): avc: denied { read } for pid=1797 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.123:144): avc: denied { read } for pid=1798 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.124:145): avc: denied { read } for pid=1798 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574336.140:146): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574336.141:147): avc: denied { read } for pid=1796 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.141:148): avc: denied { read } for pid=1796 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574336.143:149): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574336.143:150): avc: denied { read } for pid=1794 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.143:151): avc: denied { read } for pid=1794 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=USER_AVC msg=audit(1575574336.201:152): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1575574336.203:153): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1575574336.207:154): avc: denied { read } for pid=1792 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.207:155): avc: denied { read } for pid=1792 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336.207:156): avc: denied { read } for pid=1793 comm="systemctl" name="utmp" dev="tmpfs" ino=14287 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1575574336
I suspect the AVC's are the problem. You can probably put the system into permissive mode for testing. Just run "setenforce 0" and then retest. The above reduces down to: #============= auditd_t ============== allow auditd_t initrc_var_run_t:file read; allow auditd_t power_unit_file_t:service start; I'll transfer this bz to selinux-policy so that it can be fixed.
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Red Hat Enterprise Linux 7 is in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
A small number of use-cases. But very important use-cases: * https://access.redhat.com/articles/2918071 * https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72081
It is a requirement in Common Criteria, FAU_STG.4 Prevention of audit data loss, that requires the audit system take action if it is unable to record audit events. On the SCAP side, there is also, AU-5 RESPONSE TO AUDIT PROCESSING FAILURES, which also has the same requirements. It says: The information system: b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. It's this first item that high security organizations need. They would rather lose access to a system than allow unaudited access. Some scenarios are so sensitive that they must know everyone that accessed something and when and what they did. Suppose a system contains evidence for a legal proceeding. If someone realizes that auditing is not working, they could delete evidence needed for the trial and change the outcome. This might be z-stream worthy.
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/331
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3925