Starting auditd from upstart/inittab with "/sbin/auditd -n" does not work.
auditd bails out, complaining, that it is not allowed to fork :)
Cannot daemonize (Operation not permitted)
I believe this is because /dev/null may not exist yet. So, I instrumented the audit daemon to output a little more info about why it cannot daemonize. Please give the package here a try:
Let me know what you find in syslog.
(In reply to comment #2)
> I believe this is because /dev/null may not exist yet.
hmm, no, this was tried from upstart and tried from shell.
> So, I instrumented the
> audit daemon to output a little more info about why it cannot daemonize. Please
> give the package here a try:
> Let me know what you find in syslog.
Dec 17 14:36:08 harryh kernel: audit(1229520968.001:239): audit_pid=0 old=495 auid=500 ses=1 subj=unconfined_u:system_r:auditd_t:s0 res=1
Dec 17 14:36:11 harryh auditd: Cannot changed session id
Dec 17 14:36:11 harryh auditd: Cannot daemonize (Operation not permitted)
Dec 17 14:36:11 harryh auditd: The audit daemon is exiting.
OK, that shows me what the problem is. It fails setsid() due to already being a session leader. I'll patch up the audit daemon and push it through the build system.
new audit packages can be found here:
Thanks for reporting the problem.
Thanks! That was quick :)
Closing out since bug appears to be fixed long ago.