Hi, I am on Red Hat Linux enterprise 5 (Dell 1950). Auditing is failing to start. This is the message in messages file
Mar 19 10:14:08 myhost kernel: input: USB HID v1.00 Keyboard [Silitek Standard USB Keyboard ] on usb-0000:00:1d.7-5.1 Mar 19 10:14:36 myhost restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) No such file or directory Mar 19 10:19:10 myhost restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) Invalid argument Mar 19 10:20:22 myhost restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) Invalid argument Mar 19 12:20:01 myhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Mar 19 12:27:42 myhost kernel: audit(1205944062.921:39): avc: denied { getattr } for pid=32443 comm="auditd" path="/etc/resolv.conf" dev=sda3 ino=15124046 scontext=user_u:system_r:auditd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file Mar 19 12:27:42 myhost kernel: audit(1205944062.922:40): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost kernel: audit(1205944062.922:41): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost kernel: audit(1205944062.922:42): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost kernel: audit(1205944062.923:43): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost auditd: The audit daemon is exiting.
then i did the following
get auditd /var/log/messages|audit2allow -M auditsocket semodule -i auditsocket.pp
i tried starting auditd again, it kept giving me messages for auditd denied, right now i see this
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied { getattr } for pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs ino=21080 scontext=user_u:system_ r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.513:119): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.514:120): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
I need help to resolve this above issue. Am i doing something wrong? Can someone help me please.
i do not want to disable SELinux.
Thanks in advance.
On Wed, 2008-03-19 at 11:51 -0700, pselinux wrote:
Hi, I am on Red Hat Linux enterprise 5 (Dell 1950). Auditing is failing to start. This is the message in messages file
Mar 19 10:14:08 myhost kernel: input: USB HID v1.00 Keyboard [Silitek Standard USB Keyboard ] on usb-0000:00:1d.7-5.1 Mar 19 10:14:36 myhost restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) No such file or directory Mar 19 10:19:10 myhost restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) Invalid argument Mar 19 10:20:22 myhost restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) Invalid argument Mar 19 12:20:01 myhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Mar 19 12:27:42 myhost kernel: audit(1205944062.921:39): avc: denied { getattr } for pid=32443 comm="auditd" path="/etc/resolv.conf" dev=sda3 ino=15124046 scontext=user_u:system_r:auditd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file Mar 19 12:27:42 myhost kernel: audit(1205944062.922:40): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost kernel: audit(1205944062.922:41): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost kernel: audit(1205944062.922:42): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost kernel: audit(1205944062.923:43): avc: denied { connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 12:27:42 myhost auditd: The audit daemon is exiting.
then i did the following
get auditd /var/log/messages|audit2allow -M auditsocket semodule -i auditsocket.pp
i tried starting auditd again, it kept giving me messages for auditd denied, right now i see this
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied { getattr } for pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs ino=21080 scontext=user_u:system_ r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.513:119): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.514:120): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied { read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
I need help to resolve this above issue. Am i doing something wrong? Can someone help me please.
i do not want to disable SELinux.
So on the first attempt, auditd only got so far in its initialization before exiting and thus didn't generate the later set of audit messages.
You can keep interatively generating new policy modules as you did above and inserting them until you get a working auditd, or you can just switch to permissive mode temporarily (setenforce 0), start auditd to generate the full set of audit messages, and generate the final policy module in one go. Then switch back to enforcing mode (setenforce 1).
A finer-grained way of doing this is coming via permissive domains, where you can make a single domain permissive.
i tried starting auditd again, it kept giving me messages for auditd
denied,
right now i see this
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied
{
getattr } for pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs ino=21080 scontext=user_u:system_ r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied
{
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied
{
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769 faddr=xx.xx.xx.xx fport=53 scontex t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
I need help to resolve this above issue. Am i doing something wrong?
Can
someone help me please.
i do not want to disable SELinux.
So on the first attempt, auditd only got so far in its initialization before exiting and thus didn't generate the later set of audit messages.
You can keep interatively generating new policy modules as you did above and inserting them until you get a working auditd, or you can just switch to permissive mode temporarily (setenforce 0), start auditd to generate the full set of audit messages, and generate the final policy module in one go. Then switch back to enforcing mode (setenforce 1).
A finer-grained way of doing this is coming via permissive domains, where you can make a single domain permissive.
Hi Stephen, Thank you for the reply. I interactively generated the new policy modules and inserted it. I repeated 6 times. Now auditd do not start and no selinux related messages in the system logs. Only message I see is "The audit daemon is exiting". No messages in /var/log/audit either.
I tried setting selinux in permissive mode, and auditd won't start in this mode.
With out enabling audit I cannot put this server in production. Any input greatly appreciated.
What precise output do you get upon: # /sbin/service auditd restart
And what is your audit configuration (under /etc/audit)?
No output in /var/log/audit/audit.log?
Hi Stephen, Thank you for the reply. I interactively generated the new policy modules and inserted it. I repeated 6 times. Now auditd do not start
and
no selinux related messages in the system logs. Only message I see is "The audit daemon is exiting". No messages in /var/log/audit either.
I tried setting selinux in permissive mode, and auditd won't start in this mode.
With out enabling audit I cannot put this server in production. Any input greatly appreciated.
What precise output do you get upon: # /sbin/service auditd restart
Output I get is Starting auditd: [FAILED]
And what is your audit configuration (under /etc/audit)?
Below is the content of /etc/audit/auditd.conf file
# # This file controls the configuration of the audit daemon #
log_file = /var/log/audit/audit.log log_format = RAW priority_boost = 3 flush = INCREMENTAL freq = 20 num_logs = 4 dispatcher = /sbin/audispd disp_qos = lossy max_log_file = 30 max_log_file_action = ROTATE space_left = 75 #space_left_action = SYSLOG space_left_action = email action_mail_acct = scook@ntis.gov admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND
No output in /var/log/audit/audit.log?
No entry gets logged into /var/log/audit/audit.log
BTW I forgot to mention this in my earlier emails...sorry....sorry, I hope this might help. Audit used to work and stopped working, this is the sequence of events happened before audit stopped.
1. I set SELinux to disabled (I think, no sure about permissive), since apache and java app was causing lot of issues while startup. To debug this issue I had to disable selinux.
2. Finally I figured it was something else that caused apache and java app errors.
3. Then I enabled SELinux and created /.autorelabel and rebooted it. When I was going through system check list then I found out that audit was starting. Here is the last couple of entries (on Feb 29th, 08) in /var/log/audit.log
type=CWD msg=audit(1204313263.896:1829993): cwd="/" type=PATH msg=audit(1204313263.896:1829993): item=0 name="/usr/lib/locale/locale-archive" inode=12838402 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:locale_t:s0 type=SYSCALL msg=audit(1204313263.896:1829994): arch=40000003 syscall=5 success=yes exit=3 a0=9c0bce8 a1=8000 a2=0 a3=8000 items=1 ppid=10587 pid=10597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="id" exe="/usr/bin/id" subj=system_u:system_r:initrc_t:s0 key=(null) type=CWD msg=audit(1204313263.896:1829994): cwd="/" type=PATH msg=audit(1204313263.896:1829994): item=0 name="/proc/self/task/10597/attr/current" inode=694485046 dev=00:03 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0 type=SYSCALL msg=audit(1204313263.896:1829995): arch=40000003 syscall=5 success=yes exit=6 a0=91c9630 a1=8000 a2=0 a3=8000 items=1 ppid=1 pid=2278 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" subj=system_u:system_r:setrans_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1204313263.896:1829995): cwd="/" type=PATH msg=audit(1204313263.896:1829995): item=0 name="/proc/10597/attr/current" inode=694485016 dev=00:03 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0 type=SYSCALL msg=audit(1204313263.897:1829996): arch=40000003 syscall=5 success=yes exit=3 a0=4424fb77 a1=0 a2=0 a3=ffffffff items=1 ppid=10587 pid=10598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="selinuxenabled" exe="/usr/sbin/selinuxenabled" subj=system_u:system_r:initrc_t:s0 key=(null) type=CWD msg=audit(1204313263.897:1829996): cwd="/"
4. I once manually ran fixfiles. When did I run this? I don't remember the sequence.
Thank for the help.
selinux@lists.fedoraproject.org