i tried starting auditd again, it kept giving me messages for auditd
denied,
right now i see this
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied
{
getattr } for pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs ino=21080 scontext=user_u:system_ r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied
{
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied
{
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
I need help to resolve this above issue. Am i doing something wrong?
Can
someone help me please.
i do not want to disable SELinux.
So on the first attempt, auditd only got so far in its initialization before exiting and thus didn't generate the later set of audit messages.
You can keep interatively generating new policy modules as you did above and inserting them until you get a working auditd, or you can just switch to permissive mode temporarily (setenforce 0), start auditd to generate the full set of audit messages, and generate the final policy module in one go. Then switch back to enforcing mode (setenforce 1).
A finer-grained way of doing this is coming via permissive domains, where you can make a single domain permissive.