FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-20-2008, 11:36 AM
Stephen Smalley
 
Default aduitd failing to start

On Wed, 2008-03-19 at 11:51 -0700, pselinux wrote:
> Hi,
> I am on Red Hat Linux enterprise 5 (Dell 1950). Auditing is failing to
> start. This is the message in messages file
>
> Mar 19 10:14:08 myhost kernel: input: USB HID v1.00 Keyboard [Silitek
> Standard USB Keyboard ] on usb-0000:00:1d.7-5.1
> Mar 19 10:14:36 myhost restorecond: Will not restore a file with more than
> one hard link (/etc/resolv.conf) No such file or directory
> Mar 19 10:19:10 myhost restorecond: Will not restore a file with more than
> one hard link (/etc/resolv.conf) Invalid argument
> Mar 19 10:20:22 myhost restorecond: Will not restore a file with more than
> one hard link (/etc/resolv.conf) Invalid argument
> Mar 19 12:20:01 myhost dbus: Can't send to audit system: USER_AVC avc:
> received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?,
> addr=?, terminal=?)
> Mar 19 12:27:42 myhost kernel: audit(1205944062.921:39): avc: denied {
> getattr } for pid=32443 comm="auditd" path="/etc/resolv.conf" dev=sda3
> ino=15124046 scontext=user_u:system_r:auditd_t:s0
> tcontext=system_ubject_r:net_conf_t:s0 tclass=file
> Mar 19 12:27:42 myhost kernel: audit(1205944062.922:40): avc: denied {
> connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost kernel: audit(1205944062.922:41): avc: denied {
> connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost kernel: audit(1205944062.922:42): avc: denied {
> connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost kernel: audit(1205944062.923:43): avc: denied {
> connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
> tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 12:27:42 myhost auditd: The audit daemon is exiting.
>
> then i did the following
>
> get auditd /var/log/messages|audit2allow -M auditsocket
> semodule -i auditsocket.pp
>
> i tried starting auditd again, it kept giving me messages for auditd denied,
> right now i see this
>
> Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied {
> getattr } for pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs
> ino=21080 scontext=user_u:system_
> r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied {
> read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
> faddr=xx.xx.xx.xx fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.513:119): avc: denied {
> read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
> faddr=xx.xx.xx.xx fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.514:120): avc: denied {
> read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
> faddr=xx.xx.xx.xx fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied {
> read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
> faddr=xx.xx.xx.xx fport=53 scontex
> t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
> tclass=udp_socket
> Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
>
> I need help to resolve this above issue. Am i doing something wrong? Can
> someone help me please.
>
> i do not want to disable SELinux.

So on the first attempt, auditd only got so far in its initialization
before exiting and thus didn't generate the later set of audit messages.

You can keep interatively generating new policy modules as you did above
and inserting them until you get a working auditd, or you can just
switch to permissive mode temporarily (setenforce 0), start auditd to
generate the full set of audit messages, and generate the final policy
module in one go. Then switch back to enforcing mode (setenforce 1).

A finer-grained way of doing this is coming via permissive domains,
where you can make a single domain permissive.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-20-2008, 02:55 PM
Stephen Smalley
 
Default aduitd failing to start

>>Hi Stephen,
>> Thank you for the reply. I interactively generated the new policy
>>modules and inserted it. I repeated 6 times. Now auditd do not start and
>>no selinux related messages in the system logs. Only message I see is
>>"The audit daemon is exiting". No messages in /var/log/audit either.

>>I tried setting selinux in permissive mode, and auditd won't start in
>>this mode.

>>With out enabling audit I cannot put this server in production. Any
>>input greatly appreciated.

What precise output do you get upon:
# /sbin/service auditd restart

And what is your audit configuration (under /etc/audit)?

No output in /var/log/audit/audit.log?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-20-2008, 03:39 PM
Steve G
 
Default aduitd failing to start

> Thank you for the reply. Current version is audit-1.5.5-7.el5.

OK, I thought you were running something newer from 5.2 beta. This uses the old event dispatcher which doesn't do anything fancy. Maybe you would want to try disabling the dispatcher and see if you are still having a problem. Add a # at the beginning of the line for dispatcher= in /etc/audit/auditd.conf. This will affect setroubleshoot, though.

But I got to admit that I haven't seen this kind of behavior before for the older software. Do you have auditd.conf setup to send email alerts? Also, avcs don't tell you the whole story alone. You may need to temporarily add a simple rule like, "-w /etc/shadow -p w", to /etc/audit/audit.rules to trigger more detailed information. This sounds like a program that is being run from auditd doesn't have an auto transition and therefore appears as if it were auditd_t.

> Man pages for auditd.conf do not show name_format option. Anyway I tried
> both options name_format = none and name_format = hostname and still
> auditd fails to startup.

Yeah, that's for the newer 5.2 version.

-Steve




__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-20-2008, 04:04 PM
Steve G
 
Default aduitd failing to start

> space_left = 75
> #space_left_action = SYSLOG
> space_left_action = email
> action_mail_acct = scook@ntis.gov


^^^
This is where you are getting the DNS issues running from a child.


But auditd should write to syslog why it was exiting. My guess is disk is full.

-Steve



__________________________________________________ __________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org