audit avc F16

Daniel J Walsh dwalsh at redhat.com
Mon Apr 2 18:19:59 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/01/2012 09:12 AM, Frank Murphy wrote:
> Currently auditd fails to start on a particular guest.
> 
> service auditd restart Redirecting to /bin/systemctl  restart
> auditd.service [  199.986682] type=1400 audit(1333285442.114:6): avc:
> denied  { dac_override } for  pid=1409 comm="auditd" capability=1
> scontext=system_u:system_r:auditd_t:s0 
> tcontext=system_u:system_r:auditd_t:s0 tclass=capability [  199.988842]
> type=1400 audit(1333285442.116:7): avc:  denied  { dac_read_search } for
> pid=1409 comm="auditd" capability=2 scontext=system_u:system_r:auditd_t:s0
> tcontext=system_u:system_r:auditd_t:s0 tclass=capability Job failed. See
> system logs and 'systemctl status' for details.
> 
> 
> systemctl status auditd.service gives nothing extra to above.
> 
> 
dav_override and dav_read_search almost always means you have a file with the
wrong ownership/permissions on it.  This indicates you have a root process
that does not have read or write access to a file based on permissions.  The
way to find the object that auditd is not being allowed to access is to turn
on full auditing.  For example execute


auditctl -w /etc/shadow

Then start the audit service and see if you get an avc including the PATH
record, you may need to do this in permissive role, or run auditd in permissive

semanage permissive -a auditd_t


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk957c8ACgkQrlYvE4MpobN2iwCdF8uwbWBkRDNapREbAFu0Jqh4
OQkAoL3/3Voq+qa/hYXlw9f71C1H8s8N
=6k/o
-----END PGP SIGNATURE-----


More information about the selinux mailing list