Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Audit messages being disabled (http://www.linux-archive.org/fedora-selinux-support/360293-audit-messages-being-disabled.html)

Robert Nichols 04-22-2010 03:11 AM

Audit messages being disabled
 
Any ideas how I can track down what might be blocking the logging of
audit messages to /var/log/audit/audit.log? The last entry there
is at 12:56:16 today, which is just as the system was coming up after
a reboot (matches the timestamps for the never-used LOGIN entries in
/var/run/utmp). I do see these lines in /var/log/messages right
afterward:

Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143):
auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove
rule" key=(null) list=4 res=0

Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144):
audit_enabled=0 old=1 auid=4294967295 ses=4294967295
subj=system_u:system_r:readahead_t:s0 res=1

Thereafter, there are "dbus: Can't send to audit system" messages.

The auditd service shows as running. If I restart auditd, audit.log
shows "auditd normal halt" and "auditd start" messages, and after that
messages do get logged to audit.log.

I have no clue what might be setting audit_enabled=0 in the kernel,
but that "remove rule" message just before makes me suspicious that
it's SElinux related.

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Robert Nichols 04-22-2010 05:39 AM

Audit messages being disabled
 
On 04/21/2010 10:11 PM, Robert Nichols wrote:
> Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143):
> auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove
> rule" key=(null) list=4 res=0
>
> Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144):
> audit_enabled=0 old=1 auid=4294967295 ses=4294967295
> subj=system_u:system_r:readahead_t:s0 res=1
[SNIP]
> I have no clue what might be setting audit_enabled=0 in the kernel,
> but that "remove rule" message just before makes me suspicious that
> it's SElinux related.

I take that back. SElinux is not at fault here. It looks like a race
condition in readahead. Full story here:

https://bugzilla.redhat.com/show_bug.cgi?id=584643

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 04-22-2010 11:20 AM

Audit messages being disabled
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/21/2010 11:11 PM, Robert Nichols wrote:
> Any ideas how I can track down what might be blocking the logging of
> audit messages to /var/log/audit/audit.log? The last entry there
> is at 12:56:16 today, which is just as the system was coming up after
> a reboot (matches the timestamps for the never-used LOGIN entries in
> /var/run/utmp). I do see these lines in /var/log/messages right
> afterward:
>
> Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143):
> auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove
> rule" key=(null) list=4 res=0
readahead sets up auditing to watch all file opens on boot. This allows
it to optimize it self on the next boot. At a certain point during the
boot process readahead turns off the watch on open, and that is what you
are seeing.
>
> Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144):
> audit_enabled=0 old=1 auid=4294967295 ses=4294967295
> subj=system_u:system_r:readahead_t:s0 res=1
>
> Thereafter, there are "dbus: Can't send to audit system" messages.
>
> The auditd service shows as running. If I restart auditd, audit.log
> shows "auditd normal halt" and "auditd start" messages, and after that
> messages do get logged to audit.log.
>
> I have no clue what might be setting audit_enabled=0 in the kernel,
> but that "remove rule" message just before makes me suspicious that
> it's SElinux related.
>
Maybe, but I doubt it.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvQMOQACgkQrlYvE4MpobPQJQCdFE5ORsFe1C DCuwj5/8yOXI3e
9DAAniFhkBHOyrXhuxJfjI62uucOMO2h
=zDU+
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 03:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.