Starting auditd from upstart/inittab with "/sbin/auditd -n" does not work. auditd bails out, complaining, that it is not allowed to fork :)
/var/log/messages: Cannot daemonize (Operation not permitted)
I believe this is because /dev/null may not exist yet. So, I instrumented the audit daemon to output a little more info about why it cannot daemonize. Please give the package here a try: http://people.redhat.com/sgrubb/files/audit-1.7.11-1.src.rpm Let me know what you find in syslog.
(In reply to comment #2) > I believe this is because /dev/null may not exist yet. hmm, no, this was tried from upstart and tried from shell. > So, I instrumented the > audit daemon to output a little more info about why it cannot daemonize. Please > give the package here a try: > > http://people.redhat.com/sgrubb/files/audit-1.7.11-1.src.rpm > > Let me know what you find in syslog. Dec 17 14:36:08 harryh kernel: audit(1229520968.001:239): audit_pid=0 old=495 auid=500 ses=1 subj=unconfined_u:system_r:auditd_t:s0 res=1 Dec 17 14:36:11 harryh auditd: Cannot changed session id Dec 17 14:36:11 harryh auditd: Cannot daemonize (Operation not permitted) Dec 17 14:36:11 harryh auditd: The audit daemon is exiting.
OK, that shows me what the problem is. It fails setsid() due to already being a session leader. I'll patch up the audit daemon and push it through the build system.
new audit packages can be found here: http://koji.fedoraproject.org/koji/buildinfo?buildID=75101 Thanks for reporting the problem.
Thanks! That was quick :)
Closing out since bug appears to be fixed long ago.