On Wed, 2008-03-19 at 11:51 -0700, pselinux wrote:
Hi,
I am on Red Hat Linux enterprise 5 (Dell 1950). Auditing is failing to
start. This is the message in messages file
Mar 19 10:14:08 myhost kernel: input: USB HID v1.00 Keyboard [Silitek
Standard USB Keyboard ] on usb-0000:00:1d.7-5.1
Mar 19 10:14:36 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) No such file or directory
Mar 19 10:19:10 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument
Mar 19 10:20:22 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument
Mar 19 12:20:01 myhost dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)
Mar 19 12:27:42 myhost kernel: audit(1205944062.921:39): avc: denied {
getattr } for pid=32443 comm="auditd" path="/etc/resolv.conf"
dev=sda3
ino=15124046 scontext=user_u:system_r:auditd_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:40): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:41): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:42): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.923:43): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost auditd: The audit daemon is exiting.
then i did the following
get auditd /var/log/messages|audit2allow -M auditsocket
semodule -i auditsocket.pp
i tried starting auditd again, it kept giving me messages for auditd denied,
right now i see this
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied {
getattr } for pid=3899 comm="auditd" path="socket:[21080]"
dev=sockfs
ino=21080 scontext=user_u:system_
r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.513:119): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.514:120): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
I need help to resolve this above issue. Am i doing something wrong? Can
someone help me please.
i do not want to disable SELinux.
So on the first attempt, auditd only got so far in its initialization
before exiting and thus didn't generate the later set of audit messages.
You can keep interatively generating new policy modules as you did above
and inserting them until you get a working auditd, or you can just
switch to permissive mode temporarily (setenforce 0), start auditd to
generate the full set of audit messages, and generate the final policy
module in one go. Then switch back to enforcing mode (setenforce 1).
A finer-grained way of doing this is coming via permissive domains,
where you can make a single domain permissive.
--
Stephen Smalley
National Security Agency