Thank you for the reply. Current version is audit-1.5.5-7.el5.
OK, I thought you were running something newer from 5.2 beta. This uses the old event
dispatcher which doesn't do anything fancy. Maybe you would want to try disabling the
dispatcher and see if you are still having a problem. Add a # at the beginning of the line
for dispatcher= in /etc/audit/auditd.conf. This will affect setroubleshoot, though.
But I got to admit that I haven't seen this kind of behavior before for the older
software. Do you have auditd.conf setup to send email alerts? Also, avcs don't tell
you the whole story alone. You may need to temporarily add a simple rule like, "-w
/etc/shadow -p w", to /etc/audit/audit.rules to trigger more detailed information.
This sounds like a program that is being run from auditd doesn't have an auto
transition and therefore appears as if it were auditd_t.
Man pages for auditd.conf do not show name_format option. Anyway I
both options name_format = none and name_format = hostname and still
auditd fails to startup.
Yeah, that's for the newer 5.2 version.
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.