Re: auditd fails to start on FC6 system, newer kernels effect?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2007-11-17 at 04:31 -0500, Gene Heskett wrote:
> Greetings;
> 
> FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I 
> re-enabled selinux in permissive mode just to see what complained.
> 
> The manpage says to use the -f option for foreground troubleshooting, so here 
> goes:
> 
> [root@coyote linux-2.6.24-rc3]# man auditd
> [root@coyote linux-2.6.24-rc3]# which auditd
> /sbin/auditd
> [root@coyote linux-2.6.24-rc3]# auditd -f
> Config file /etc/audit/auditd.conf opened for parsing
> log_file_parser called with: /var/log/audit/audit.log
> log_format_parser called with: RAW
> priority_boost_parser called with: 3
> flush_parser called with: INCREMENTAL
> freq_parser called with: 20
> num_logs_parser called with: 4
> dispatch_parser called with: /sbin/audispd
> qos_parser called with: lossy
> max_log_size_parser called with: 5
> max_log_size_action_parser called with: ROTATE
> space_left_parser called with: 75
> space_action_parser called with: SYSLOG
> action_mail_acct_parser called with: root
> admin_space_left_parser called with: 50
> admin_space_left_action_parser called with: SUSPEND
> disk_full_action_parser called with: SUSPEND
> disk_error_action_parser called with: SUSPEND
> Started dispatcher: /sbin/audispd pid: 7828
> type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2, 
> format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824
> config_manager init complete
> Error setting audit daemon pid (Connection refused)
> type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt, 
> auid=4294967295 pid=7824 res=failed, auditd pid=7824
> Unable to set audit pid, exiting
> The audit daemon is exiting.
> Error setting audit daemon pid (Connection refused)
> [root@coyote linux-2.6.24-rc3]#
> 
> Connection refused sounds as if something else isn't running that should be, 
> but no direct clue, so what else needs to run too, before auditd?

More of a question for linux-audit (cc'd).  Offhand, I'd guess that the
ECONNREFUSED is coming from the netlink code, but I don't know why.
Running it under strace might be illuminating.
 
-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux