Description of problem: What's this? [root@viklef log]# grep 'audit rule' messages Apr 23 00:04:13 viklef kernel: audit rule for selinux 'dhclient_t' is invalid Apr 23 00:04:13 viklef kernel: audit rule for selinux 'mcstransd_t' is invalid Apr 23 00:04:13 viklef kernel: audit rule for selinux 'samba_t' is invalid Apr 23 00:05:17 viklef kernel: audit rule for selinux 'dhclient_t' is invalid Apr 23 00:05:17 viklef kernel: audit rule for selinux 'mcstransd_t' is invalid Apr 23 00:05:17 viklef kernel: audit rule for selinux 'samba_t' is invalid Apr 23 10:30:11 viklef kernel: audit rule for selinux 'dhclient_t' is invalid Apr 23 10:30:11 viklef kernel: audit rule for selinux 'mcstransd_t' is invalid Apr 23 10:30:11 viklef kernel: audit rule for selinux 'samba_t' is invalid Apr 23 10:31:15 viklef kernel: audit rule for selinux 'dhclient_t' is invalid Apr 23 10:31:15 viklef kernel: audit rule for selinux 'mcstransd_t' is invalid Apr 23 10:31:15 viklef kernel: audit rule for selinux 'samba_t' is invalid Apr 23 13:50:50 viklef kernel: audit rule for selinux 'dhclient_t' is invalid Apr 23 13:50:50 viklef kernel: audit rule for selinux 'mcstransd_t' is invalid Apr 23 13:50:50 viklef kernel: audit rule for selinux 'samba_t' is invalid [root@viklef log]# grep mcstransd_t /var/log/audit/audit.log [root@viklef log]# Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-35.fc9.noarch
Are you installing some kind of audit rules?
If yes, then by mistake. How could I know?
I don't know. Steve any ideas?
These messages seem to be coming from the kernel. It looks like a bunch of audit by selinux type rules were loaded. These would be something like: auditctl -a exit,always -F subj_type=mcstransd_t They could either be loaded at the commandline or /etc/audit/audit.rules. Anyways it looks like maybe a change to policy occurred that made the rules invalid. So, the kernel was warning that the rules were being deleted after that policy was loaded.
Created attachment 303820 [details] /etc/audit/auditd.conf
Created attachment 303821 [details] /etc/audit/audit.rules And I swear I have never ever seen command like you mentioned in my life, even less I would type with my hands.
Could a post install script of an rpm have caused this or a rhts test script?
(In reply to comment #7) > Could a post install script of an rpm have caused this or a rhts test script? The question was probably not targeted towards me, but just to note that I have never had anything to do with RHTS, and even more it doesn't touch my personal computer.
Are you continuing to see this on reboot? Have you seen this again?
No error message since 2008-04-26. Thanks a lot.