Audit messages being disabled
Any ideas how I can track down what might be blocking the logging of
audit messages to /var/log/audit/audit.log? The last entry there is at 12:56:16 today, which is just as the system was coming up after a reboot (matches the timestamps for the never-used LOGIN entries in /var/run/utmp). I do see these lines in /var/log/messages right afterward: Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove rule" key=(null) list=4 res=0 Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 Thereafter, there are "dbus: Can't send to audit system" messages. The auditd service shows as running. If I restart auditd, audit.log shows "auditd normal halt" and "auditd start" messages, and after that messages do get logged to audit.log. I have no clue what might be setting audit_enabled=0 in the kernel, but that "remove rule" message just before makes me suspicious that it's SElinux related. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Audit messages being disabled
On 04/21/2010 10:11 PM, Robert Nichols wrote:
> Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143): > auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove > rule" key=(null) list=4 res=0 > > Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144): > audit_enabled=0 old=1 auid=4294967295 ses=4294967295 > subj=system_u:system_r:readahead_t:s0 res=1 [SNIP] > I have no clue what might be setting audit_enabled=0 in the kernel, > but that "remove rule" message just before makes me suspicious that > it's SElinux related. I take that back. SElinux is not at fault here. It looks like a race condition in readahead. Full story here: https://bugzilla.redhat.com/show_bug.cgi?id=584643 -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Audit messages being disabled
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 04/21/2010 11:11 PM, Robert Nichols wrote: > Any ideas how I can track down what might be blocking the logging of > audit messages to /var/log/audit/audit.log? The last entry there > is at 12:56:16 today, which is just as the system was coming up after > a reboot (matches the timestamps for the never-used LOGIN entries in > /var/run/utmp). I do see these lines in /var/log/messages right > afterward: > > Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143): > auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove > rule" key=(null) list=4 res=0 readahead sets up auditing to watch all file opens on boot. This allows it to optimize it self on the next boot. At a certain point during the boot process readahead turns off the watch on open, and that is what you are seeing. > > Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144): > audit_enabled=0 old=1 auid=4294967295 ses=4294967295 > subj=system_u:system_r:readahead_t:s0 res=1 > > Thereafter, there are "dbus: Can't send to audit system" messages. > > The auditd service shows as running. If I restart auditd, audit.log > shows "auditd normal halt" and "auditd start" messages, and after that > messages do get logged to audit.log. > > I have no clue what might be setting audit_enabled=0 in the kernel, > but that "remove rule" message just before makes me suspicious that > it's SElinux related. > Maybe, but I doubt it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvQMOQACgkQrlYvE4MpobPQJQCdFE5ORsFe1C DCuwj5/8yOXI3e 9DAAniFhkBHOyrXhuxJfjI62uucOMO2h =zDU+ -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 01:53 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.