-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/01/2012 09:12 AM, Frank Murphy wrote:
Currently auditd fails to start on a particular guest.
service auditd restart Redirecting to /bin/systemctl restart auditd.service [ 199.986682] type=1400 audit(1333285442.114:6): avc: denied { dac_override } for pid=1409 comm="auditd" capability=1 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability [ 199.988842] type=1400 audit(1333285442.116:7): avc: denied { dac_read_search } for pid=1409 comm="auditd" capability=2 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Job failed. See system logs and 'systemctl status' for details.
systemctl status auditd.service gives nothing extra to above.
dav_override and dav_read_search almost always means you have a file with the wrong ownership/permissions on it. This indicates you have a root process that does not have read or write access to a file based on permissions. The way to find the object that auditd is not being allowed to access is to turn on full auditing. For example execute
auditctl -w /etc/shadow
Then start the audit service and see if you get an avc including the PATH record, you may need to do this in permissive role, or run auditd in permissive
semanage permissive -a auditd_t