auditd service fails to start with "Could not open dir /var/log/audit (Permission denied)" error.

Solution Unverified - Updated -


  • After moving /var/log/audit to its own file system, the auditd service will not start with following error:
Aug 21 09:51:56 hostname kernel: type=1400 audit(1408629116.556:114710): avc:  denied  { read } for  pid=34371 comm="auditd" name="/" dev=dm-53 ino=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Aug 21 09:51:56 hostname auditd: Could not open dir /var/log/audit (Permission denied)
Aug 21 09:51:56 hostname auditd: The audit daemon is exiting.


  • Red Hat Enterprise Linux (RHEL).
  • Auditd service.
  • selinux contexts.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content