Hi,
>> But the next reboot then had auditd advise me there was an
error in
line
>> 16 of /etc/audit/auditd.rules.
Which audit package are you using? FWIW, audit and selinux are different subsystems. If
you have audit problems, it would be more helpful to change the subject line so that it
catches my attention. I do not read every SE Linux email. :)
-a exit,always -S chroot
#-a exit,always -S chdir -F obj_type=dhclient_t
-----------
Now it seems to me that those rules were there for a reason, and to
have to
comment all but the first one out to get rid of the error:
These are not default audit rules. you or someone with access to your machine would have
put these there. Did they work when you originally installed them and they quit working
recently?
Starting auditd: [ OK ]
Error sending add rule data request (Unknown error 524)
There was an error in line 27 of /etc/audit/audit.rules
To know what is happening, I'd need to know your audit package version and kernel
version. And then I'd need to see the actual rule and an strace of loading just that
one rule from the command line.
isn't the real problem, so what do the experts here think?
The audit system compliments SE Linux in that it records the results of Access Vector
Calculations (AVCs) whenever the rules say to. But SE Linux will work without the audit
system.
SELinux is running in permissive mode, and seems to be logging
res=success for
everything so far,
SE Linux does not record "res=" fields. That is the audit system doing its
normal stuff. To see if you have denials, I'd run the summary report: "aureport
--start today" to see if you have anything in the avc row. If so, you can ;look
deeper with "aureport --start today --avc -i" You would look for denied in the
second to last column of each row. An example:
1. 10/15/2007 20:14:07 vpnc-script user_u:system_r:vpnc_t:s0 stat file getattr
system_u:object_r:var_run_t:s0 denied 180
Would it have logged res=denied for anything if set to permissive?
You need to look for "denied" in avc records.
-Steve
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com