Why can't I start auditd when SELinux is enabled?
Issue
auditd
will not start withselinux
enabled- If
selinux
is configured to permissive mode,auditd
starts fine - The below are the
AVC's:
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_override } for pid=4685 comm="auditd" capability=1 context=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_read_search } for pid=4685 comm="auditd" capability=2 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_override } for pid=4685 comm="auditd" capability=1 scontext=user_u:system_r:auditd_t:s0 context=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied { dac_read_search } for pid=4685 comm="auditd" capability=2 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Jun 7 11:42:05 ccsvm kernel: type=1300 audit(1275925325.162:58): arch=c000003e syscall=2 success=no exit=-13 a0=7fff5a0dd16b a1=400 a2=d4f a3=0 items=2 ppid=4684 pid=4685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="auditd" exe="/sbin/auditd" subj=user_u:system_r:auditd_t:s0 key=(null)
Jun 7 11:42:05 ccsvm kernel: type=1307 audit(1275925325.162:58): cwd="/"
Jun 7 11:42:05 ccsvm kernel: type=1302 audit(1275925325.162:58): item=0 name="/var/log/audit/audit.log"
Jun 7 11:42:05 ccsvm kernel: type=1302 audit(1275925325.162:58): item=1 name="/var/log/audit/audit.log"
Jun 7 11:42:05 ccsvm auditd: Unable to open /var/log/audit/audit.log (Permission denied)
Jun 7 11:42:05 ccsvm auditd: The audit daemon is exiting.
- Permissions of /var/log/audit/audit.log
-rw-r----- 1 root root 108095 Jun 7 11:41 /var/log/audit/audit.log
- Attempting a service auditd restart fails to resolve the issue
Environment
- Red Hat Enterprise Linux 5
- selinux-policy
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.