Why can't I start auditd when SELinux is enabled?
Issue
auditdwill not start withselinuxenabled- If
selinuxis configured to permissive mode,auditdstarts fine - The below are the
AVC's:
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_override } for pid=4685 comm="auditd" capability=1 context=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_read_search } for pid=4685 comm="auditd" capability=2 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_override } for pid=4685 comm="auditd" capability=1 scontext=user_u:system_r:auditd_t:s0 context=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_read_search } for pid=4685 comm="auditd" capability=2 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1300 audit(1275925325.162:58): arch=c000003e syscall=2 success=no exit=-13 a0=7fff5a0dd16b a1=400 a2=d4f a3=0 items=2 ppid=4684 pid=4685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="auditd" exe="/sbin/auditd" subj=user_u:system_r:auditd_t:s0 key=(null)
Jun 7 11:42:05 ccsvm kernel: type=1307 audit(1275925325.162:58): cwd="/"
Jun 7 11:42:05 ccsvm kernel: type=1302 audit(1275925325.162:58): item=0 name="/var/log/audit/audit.log"
Jun 7 11:42:05 ccsvm kernel: type=1302 audit(1275925325.162:58): item=1 name="/var/log/audit/audit.log"
Jun 7 11:42:05 ccsvm auditd: Unable to open /var/log/audit/audit.log (Permission denied)
Jun 7 11:42:05 ccsvm auditd: The audit daemon is exiting.
- Permissions of /var/log/audit/audit.log
-rw-r----- 1 root root 108095 Jun 7 11:41 /var/log/audit/audit.log
- Attempting a service auditd restart fails to resolve the issue
Environment
- Red Hat Enterprise Linux 5
- selinux-policy
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
