>Hi Stephen,
> Thank you for the reply. I interactively generated the new policy
>modules and inserted it. I repeated 6 times. Now auditd do not start
and
>no selinux related messages in the system logs. Only message I see
is
>"The audit daemon is exiting". No messages in /var/log/audit either.
>I tried setting selinux in permissive mode, and auditd won't
start in
>this mode.
>With out enabling audit I cannot put this server in production.
Any
>input greatly appreciated.
What precise output do you get upon:
# /sbin/service auditd restart
Output I get is
Starting auditd: [FAILED]
And what is your audit configuration (under /etc/audit)?
Below is the content of /etc/audit/auditd.conf file
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 4
dispatcher = /sbin/audispd
disp_qos = lossy
max_log_file = 30
max_log_file_action = ROTATE
space_left = 75
#space_left_action = SYSLOG
space_left_action = email
action_mail_acct = scook(a)ntis.gov
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
No output in /var/log/audit/audit.log?
No entry gets logged into /var/log/audit/audit.log
BTW I forgot to mention this in my earlier emails...sorry....sorry, I
hope this might help. Audit used to work and stopped working, this is
the sequence of events happened before audit stopped.
1. I set SELinux to disabled (I think, no sure about permissive), since
apache and java app was causing lot of issues while startup. To debug
this issue I had to disable selinux.
2. Finally I figured it was something else that caused apache and java
app errors.
3. Then I enabled SELinux and created /.autorelabel and rebooted it.
When I was going through system check list then I found out that audit
was starting. Here is the last couple of entries (on Feb 29th, 08) in
/var/log/audit.log
type=CWD msg=audit(1204313263.896:1829993): cwd="/"
type=PATH msg=audit(1204313263.896:1829993): item=0
name="/usr/lib/locale/locale-archive" inode=12838402 dev=08:03
mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:locale_t:s0
type=SYSCALL msg=audit(1204313263.896:1829994): arch=40000003 syscall=5
success=yes exit=3 a0=9c0bce8 a1=8000 a2=0 a3=8000 items=1 ppid=10587
pid=10597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="id" exe="/usr/bin/id"
subj=system_u:system_r:initrc_t:s0 key=(null)
type=CWD msg=audit(1204313263.896:1829994): cwd="/"
type=PATH msg=audit(1204313263.896:1829994): item=0
name="/proc/self/task/10597/attr/current" inode=694485046 dev=00:03
mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0
type=SYSCALL msg=audit(1204313263.896:1829995): arch=40000003 syscall=5
success=yes exit=6 a0=91c9630 a1=8000 a2=0 a3=8000 items=1 ppid=1
pid=2278 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd"
subj=system_u:system_r:setrans_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1204313263.896:1829995): cwd="/"
type=PATH msg=audit(1204313263.896:1829995): item=0
name="/proc/10597/attr/current" inode=694485016 dev=00:03 mode=0100666
ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0
type=SYSCALL msg=audit(1204313263.897:1829996): arch=40000003 syscall=5
success=yes exit=3 a0=4424fb77 a1=0 a2=0 a3=ffffffff items=1 ppid=10587
pid=10598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="selinuxenabled"
exe="/usr/sbin/selinuxenabled" subj=system_u:system_r:initrc_t:s0
key=(null)
type=CWD msg=audit(1204313263.897:1829996): cwd="/"
4. I once manually ran fixfiles. When did I run this? I don't remember
the sequence.
Thank for the help.