Why can't I start auditd when SELinux is enabled?

Solution Verified - Updated -

Issue

  • auditd will not start with selinux enabled
  • If selinux is configured to permissive mode,auditd starts fine
  • The below are the AVC's:
 Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied  { dac_override } for  pid=4685 comm="auditd" capability=1 context=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability  
 Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied  { dac_read_search } for  pid=4685 comm="auditd" capability=2 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability  
 Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied  { dac_override } for  pid=4685 comm="auditd" capability=1 scontext=user_u:system_r:auditd_t:s0 context=user_u:system_r:auditd_t:s0 tclass=capability  
 Jun 7 11:42:05 ccsvm kernel: type=1400 audit(1275925325.162:58): avc: denied  { dac_read_search } for  pid=4685 comm="auditd" capability=2 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability  
 Jun 7 11:42:05 ccsvm kernel: type=1300 audit(1275925325.162:58): arch=c000003e syscall=2 success=no exit=-13 a0=7fff5a0dd16b a1=400 a2=d4f a3=0 items=2 ppid=4684 pid=4685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="auditd" exe="/sbin/auditd" subj=user_u:system_r:auditd_t:s0 key=(null)  
 Jun 7 11:42:05 ccsvm kernel: type=1307 audit(1275925325.162:58): cwd="/" 
 Jun 7 11:42:05 ccsvm kernel: type=1302 audit(1275925325.162:58): item=0 name="/var/log/audit/audit.log"  
 Jun 7 11:42:05 ccsvm kernel: type=1302 audit(1275925325.162:58): item=1 name="/var/log/audit/audit.log"  
 Jun 7 11:42:05 ccsvm auditd: Unable to open /var/log/audit/audit.log (Permission denied)  
 Jun 7 11:42:05 ccsvm auditd: The audit daemon is exiting.
  • Permissions of /var/log/audit/audit.log
 -rw-r----- 1 root root 108095 Jun  7 11:41 /var/log/audit/audit.log
  • Attempting a service auditd restart fails to resolve the issue

Environment

  • Red Hat Enterprise Linux 5
  • selinux-policy

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content