Bug 246616 - Strange audit messages
Strange audit messages
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: seedit (Show other bugs)
7
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Yuichi Nakamura
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-03 09:21 EDT by Joshua Covington
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-10 21:34:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
found in /var/log/audit/ (492.23 KB, text/plain)
2007-07-05 10:06 EDT, Joshua Covington
no flags Details
found in /var/log/audit/ (4.99 MB, application/octet-stream)
2007-07-05 10:07 EDT, Joshua Covington
no flags Details
found in /etc/audit/ (983 bytes, application/octet-stream)
2007-07-05 10:08 EDT, Joshua Covington
no flags Details
found in /etc/audit/ (448 bytes, application/octet-stream)
2007-07-05 10:08 EDT, Joshua Covington
no flags Details
found in /etc/ (191 bytes, application/octet-stream)
2007-07-05 10:09 EDT, Joshua Covington
no flags Details

  None (edit)
Description Joshua Covington 2007-07-03 09:21:48 EDT
Description of problem:
after updating to kde357 (using fc7) and installing and deinstalling (because of
numerous problems) 
seedit-2.1.1-2.fc7.1.i386.rpm                                            
seedit-gui-2.1.1-2.fc7.1.i386.rpm                                        
seedit-policy-2.1.1-2.fc7.1.i386.rpm                                     
selinux-doc-1.26-1.1.noarch.rpm 
i got lots of the following messages when shutting down:
----------------------------------------------
Jul 2 22:26:34 localhost auditd[1776]: The audit daemon is exiting.
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:95): audit_pid=0 old=1776
by auid=4294967295 subj=system_u:system_r:auditd_t:s0
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:96): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit rule for selinux 'dhclient_t' is invalid
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:97): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:98): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit rule for selinux 'mcstransd_t' is invalid
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:99): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:100): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:101): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit rule for selinux 'samba_t' is invalid
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:102): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:103): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:104): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:105): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:106): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:107): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:108): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
Jul 2 22:26:34 localhost kernel: audit(1183407994.408:109): auid=4294967295
subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
-----------------------------------------------------------------


I also now have problems with the combination "fn+sound up/down". I've anabled
the "microsoft natural pro/ internet pro" keyboard layout (in kde) but it
doesn't function anymore. and when trying to use the combination "fn+sound
up/down" I just see the status bar dialog going from 0 upto 11% but this doesn't
reflect the actuall volume level(and the level is actually 100% not 0% as
shown). in kde 356 it was ok and all keyboard shortcuts were functioning ok.


Version-Release number of selected component (if applicable):


How reproducible:
install the above packages
then, after relabelling the system what of the sys.processes wouldn't start
because of the se-rules.
start interractive startup and disbale the messagebus and the HAL deamon, go
into the X (kde) und deinstall the rpms.
after the new relabelling the problem occurs.


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
the kde keyboard layout with microsoft natural pro/ internet pro enabled,
enables lots of the fn keys on most laptops. and I think the kde-update has
nothing to do with the problem. maybe the seedit (which i had to delete manually
after deinstall from /etc/seedit and /ets/selinux/seedit/) is blocking somehow
the kde script that manages the keyboard.


Additional info:
Comment 1 Yuichi Nakamura 2007-07-03 19:36:34 EDT
Hi.
There may be extra entries in audit.conf.
Can you tell me the contents of /etc/audit.conf ?
Comment 2 Joshua Covington 2007-07-05 10:06:54 EDT
Created attachment 158585 [details]
found in /var/log/audit/
Comment 3 Joshua Covington 2007-07-05 10:07:44 EDT
Created attachment 158586 [details]
found in /var/log/audit/
Comment 4 Joshua Covington 2007-07-05 10:08:12 EDT
Created attachment 158587 [details]
found in /etc/audit/
Comment 5 Joshua Covington 2007-07-05 10:08:38 EDT
Created attachment 158589 [details]
found in /etc/audit/
Comment 6 Joshua Covington 2007-07-05 10:09:01 EDT
Created attachment 158590 [details]
found in /etc/
Comment 7 Joshua Covington 2007-07-05 10:11:03 EDT
theses are the files that I found but no /etc/audit.conf. When I looked in them
there is nothing unusuall for me.
Comment 8 Joshua Covington 2007-07-05 10:16:22 EDT
another user has this problem, too. here:
http://forums.fedoraforum.org/showthread.php?t=159800
Comment 9 Yuichi Nakamura 2007-07-05 20:02:47 EDT
What happens you  delete following from audit.rules, and restart audit service?

-a exit,always -S chroot
-a exit,always -S chdir -F obj_type=dhclient_t
-a exit,always -S chdir -F obj_type=sendmail_t
-a exit,always -S chdir -F obj_type=mcstransd_t
-a exit,always -S chdir -F obj_type=sshd_t
-a exit,always -S chdir -F obj_type=ntpd_t
-a exit,always -S chdir -F obj_type=samba_t
-a exit,always -S chdir -F obj_type=named_t
-a exit,always -S chdir -F obj_type=klogd_t
-a exit,always -S chdir -F obj_type=crond_t
-a exit,always -S chdir -F obj_type=httpd_t
-a exit,always -S chdir -F obj_type=auditd_t
-a exit,always -S chdir -F obj_type=portmap_t
-a exit,always -S chdir -F obj_type=syslogd_t


Comment 10 Joshua Covington 2007-07-09 14:45:06 EDT
ok, after deleting these rules and restarting the service i've got no more
messages. actually just one but i think it is from the audit service itself and
it reports that the service has exited or something like this.
actually i had a similar message before installing seedit.
the message is:
--------------------
Jul  6 20:07:42 localhost auditd[1753]: The audit daemon is exiting.
Jul  6 20:07:42 localhost audispd[1755]: input read: EOF
Jul  6 20:07:42 localhost kernel: audit(1183745262.457:277): audit_pid=0
old=1753 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
--------------------

as of this i think this problem has been fixed. By thy way how all these rules
have been added to the rules.conf? I haven't made any manuall changes to these
files.
Comment 11 Yuichi Nakamura 2007-07-10 21:32:34 EDT
...
-a exit,always -S chdir -F obj_type=dhclient_t
....

are added by seedit when converting policy.
These entries are necessary for seedit's policy generating component 
to obtain full path information from audit.log.
Comment 12 Yuichi Nakamura 2007-07-10 21:34:56 EDT
And I fixed seedit to remove these entries from audit.rules when uninstalling
seedit.
I applied the change to svn.sourceforge.net/svnroot/seedit.
I think fixed seedit will be uploaded also to fedora in near future.
Comment 13 Joshua Covington 2007-07-11 13:51:10 EDT
Thanks alot about this!

terefore I love fedora!
Comment 14 Joshua Covington 2007-07-12 11:13:42 EDT
ok, the problem has been fixed (credit should go to Yuichi Nakamura) but when i
installed the seedit for the first time there was something strange.

it made me reboot and on the reboot there was a relabelling with the seedit
policy. after this a automatic restart and then lots of services wouldn't start
because of problems.

So i restarted in interective startup and didn't start the failed services. then
uninstalled the seedit, restart, relabel with the target-policy and the messages
appeared.

So in my opinion seedit shouldn't automatic relable and should be more
compatible with the other processes. But I cannot exactly remember what errors
appered because it was for about 2 weeks. :(

maybe this can help for a more user-friendly policy editor.
Comment 15 Yuichi Nakamura 2007-07-20 04:17:36 EDT
Thanks for report.

> after this a automatic restart and then lots of services wouldn't start
> because of problems.
It is strange. 
In F7, seedit is not tested well, I have to test in F7 more.



Note You need to log in before you can comment on or make changes to this bug.