Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155400 - Auditd Fails to Start/Stop
Summary: Auditd Fails to Start/Stop
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: 4
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steve Grubb
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-19 23:12 UTC by Gary A. McGee
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-24 12:46:39 UTC


Attachments (Terms of Use)
Audit Log (deleted)
2005-04-24 11:51 UTC, Gary A. McGee
no flags Details

Description Gary A. McGee 2005-04-19 23:12:02 UTC
Description of problem:
Upon issuing, "service auditd start", or "service auditd stop" the following
console messages are received; "Starting auditd: [FAILED]" and, "Stopping
auditd: [FAILED]".  Additionally, /var/log/audit/audit.log is empty.

Version-Release number of selected component (if applicable):
audit-0.6.11-1

How reproducible:
Every time.

Steps to Reproduce:
1. Issue the command "service auditd start" or, "service auditd stop" as user root.

2.
3.
  
Actual results:
Auditd does not start. File /var/log/audit/audit.log is empty.


Expected results:
Auditd should start with log entries.


Additional info:
None

Comment 1 Steve Grubb 2005-04-19 23:50:14 UTC
Well...it works on my system. ;)

If you don't mind, edit /etc/sysconfig/auditd. Make the following change:

EXTRAOPTIONS="-f"

Then stop the audit daemon and start it. See if that tells us why it doesn't
want to start.

Thanks.


Comment 2 Gary A. McGee 2005-04-20 01:45:38 UTC
I followed the instructions from comment #1 and got the same results that I
initially reported.  I did observe that /etc/sysconfig/auditd contained the line: 

EXTRAOPTIONS=""

which I commented out before adding:

EXTRAOPTIONS="-f".

The file /var/log/audit/audit.log is still empty.

Comment 3 Gary A. McGee 2005-04-20 01:59:37 UTC
When I run "dmesg" I see following:

audit(1113962245.916:0): avc:  denied  { sys_nice } for  pid=4441
exe=/sbin/auditd capability=23 scontext=root:system_r:auditd_t
tcontext=root:system_r:auditd_t tclass=capability

Comment 4 Steve Grubb 2005-04-20 02:34:49 UTC
Thanks for the info. The problem looks like a SE Linux policy problem. I'll
forward this to the right person. You should get rid of the -f in EXTRAOPTIONS
now that you've gave me some information for troubleshooting.

Comment 5 Daniel Walsh 2005-04-20 14:06:24 UTC
Fixed in selinux-policy-*-1.23.11-4

Comment 6 Gary A. McGee 2005-04-21 18:26:08 UTC
I upgraded to selinux-policy-targeted-1.23.12-1, but the original problem was
not solved.

When I run "dmesg", I see the following message pertaining to auditd:

audit(1114106755.410:0): avc:  denied  { setsched } for  pid=2000
exe=/sbin/auditd scontext=user_u:system_r:auditd_t
tcontext=user_u:system_r:auditd_t tclass=process

FYI, I noticed these new messages as well.  I'm not sure if they're relevant to
this problem, but I want to bring them to your attention.  Please advise if this
is something for which I should create a new bug.

audit(1114106860.035:0): avc:  denied  { execmod } for  pid=4094
comm=firefox-bin path=/home/gamcgee/.mozilla/plugins/libflashplayer.so dev=hda9
ino=1056003 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:default_t tclass=file

audit(1114106860.110:0): avc:  denied  { execmod } for  pid=4094
comm=firefox-bin path=/home/gamcgee/.mozilla/plugins/libflashplayer.so dev=hda9
ino=1056003 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:default_t tclass=file

audit(1114106877.172:0): avc:  denied  { write } for  pid=4242 exe=/bin/cp
name=resolv.conf.predhclient dev=hda10 ino=64142
scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:etc_t tclass=file

audit(1114106877.173:0): avc:  denied  { unlink } for  pid=4242 exe=/bin/cp
name=resolv.conf.predhclient dev=hda10 ino=64142
scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:etc_t tclass=file

Comment 7 Tom Diehl 2005-04-22 02:50:31 UTC
On my system I am getting the following messages:
audit(1114135505.291:0): avc:  denied  { sys_admin } for  pid=1850
exe=/sbin/consoletype capability=21 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:system_r:dhcpc_t tclass=capability
audit(1114135513.089:0): avc:  denied  { sys_admin } for  pid=1880
exe=/sbin/consoletype capability=21 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:system_r:dhcpc_t tclass=capability
audit(1114135513.413:0): avc:  denied  { rename } for  pid=1924 exe=/bin/mv
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.417:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.417:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.425:0): avc:  denied  { append } for  pid=1878 exe=/bin/bash
name=ntp.conf dev=dm-0 ino=102686 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:object_r:etc_t tclass=file
audit(1114135513.621:0): avc:  denied  { sys_admin } for  pid=1937
exe=/sbin/consoletype capability=21 scontext=user_u:system_r:dhcpc_t
tcontext=user_u:system_r:dhcpc_t tclass=capability
audit(1114135515.615:0): avc:  denied  { setsched } for  pid=2020
exe=/sbin/auditd scontext=user_u:system_r:auditd_t
tcontext=user_u:system_r:auditd_t tclass=process

(bullwinkle pts9) # rpm -qa |grep selinux
selinux-policy-targeted-1.23.12-1
libselinux-1.23.7-2
libselinux-devel-1.23.7-2
(bullwinkle pts9) #

Comment 8 Gary A. McGee 2005-04-24 11:51:00 UTC
Created attachment 113593 [details]
Audit Log

Comment 9 Gary A. McGee 2005-04-24 11:52:43 UTC
Auditd seems to start up now.  The attachment above is a copy of
/var/log/audit/audit.log.

Comment 10 Steve Grubb 2005-04-24 12:46:39 UTC
Thanks for reporting this problem. Closing it since its fixed.

Comment 11 Ville Skyttä 2005-04-25 06:54:27 UTC
ntp.conf and friends avc denied messages -> bug 155855.


Note You need to log in before you can comment on or make changes to this bug.