Hi,
I am on Red Hat Linux enterprise 5 (Dell 1950). Auditing is failing to
start. This is the message in messages file
Mar 19 10:14:08 myhost kernel: input: USB HID v1.00 Keyboard [Silitek
Standard USB Keyboard ] on usb-0000:00:1d.7-5.1
Mar 19 10:14:36 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) No such file or directory
Mar 19 10:19:10 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument
Mar 19 10:20:22 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument
Mar 19 12:20:01 myhost dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)
Mar 19 12:27:42 myhost kernel: audit(1205944062.921:39): avc: denied {
getattr } for pid=32443 comm="auditd" path="/etc/resolv.conf" dev=sda3
ino=15124046 scontext=user_u:system_r:auditd_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:40): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:41): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:42): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.923:43): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost auditd: The audit daemon is exiting.
then i did the following
get auditd /var/log/messages|audit2allow -M auditsocket
semodule -i auditsocket.pp
i tried starting auditd again, it kept giving me messages for auditd denied,
right now i see this
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied {
getattr } for pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs
ino=21080 scontext=user_u:system_
r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.513:119): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.514:120): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
I need help to resolve this above issue. Am i doing something wrong? Can
someone help me please.
i do not want to disable SELinux.
Thanks in advance.
--
View this message in context: http://www.nabble.com/aduitd-failing-to-start-tp16148276p16148276.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
