>>Hi Stephen, >> Thank you for the reply. I interactively generated the new policy >>modules and inserted it. I repeated 6 times. Now auditd do not start and >>no selinux related messages in the system logs. Only message I see is >>"The audit daemon is exiting". No messages in /var/log/audit either. >>I tried setting selinux in permissive mode, and auditd won't start in >>this mode. >>With out enabling audit I cannot put this server in production. Any >>input greatly appreciated. What precise output do you get upon: # /sbin/service auditd restart Output I get is Starting auditd: [FAILED] And what is your audit configuration (under /etc/audit)? Below is the content of /etc/audit/auditd.conf file # # This file controls the configuration of the audit daemon # log_file = /var/log/audit/audit.log log_format = RAW priority_boost = 3 flush = INCREMENTAL freq = 20 num_logs = 4 dispatcher = /sbin/audispd disp_qos = lossy max_log_file = 30 max_log_file_action = ROTATE space_left = 75 #space_left_action = SYSLOG space_left_action = email action_mail_acct = scook@xxxxxxxx admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND No output in /var/log/audit/audit.log? No entry gets logged into /var/log/audit/audit.log BTW I forgot to mention this in my earlier emails...sorry....sorry, I hope this might help. Audit used to work and stopped working, this is the sequence of events happened before audit stopped. 1. I set SELinux to disabled (I think, no sure about permissive), since apache and java app was causing lot of issues while startup. To debug this issue I had to disable selinux. 2. Finally I figured it was something else that caused apache and java app errors. 3. Then I enabled SELinux and created /.autorelabel and rebooted it. When I was going through system check list then I found out that audit was starting. Here is the last couple of entries (on Feb 29th, 08) in /var/log/audit.log type=CWD msg=audit(1204313263.896:1829993): cwd="/" type=PATH msg=audit(1204313263.896:1829993): item=0 name="/usr/lib/locale/locale-archive" inode=12838402 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:locale_t:s0 type=SYSCALL msg=audit(1204313263.896:1829994): arch=40000003 syscall=5 success=yes exit=3 a0=9c0bce8 a1=8000 a2=0 a3=8000 items=1 ppid=10587 pid=10597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="id" exe="/usr/bin/id" subj=system_u:system_r:initrc_t:s0 key=(null) type=CWD msg=audit(1204313263.896:1829994): cwd="/" type=PATH msg=audit(1204313263.896:1829994): item=0 name="/proc/self/task/10597/attr/current" inode=694485046 dev=00:03 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0 type=SYSCALL msg=audit(1204313263.896:1829995): arch=40000003 syscall=5 success=yes exit=6 a0=91c9630 a1=8000 a2=0 a3=8000 items=1 ppid=1 pid=2278 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" subj=system_u:system_r:setrans_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1204313263.896:1829995): cwd="/" type=PATH msg=audit(1204313263.896:1829995): item=0 name="/proc/10597/attr/current" inode=694485016 dev=00:03 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t:s0 type=SYSCALL msg=audit(1204313263.897:1829996): arch=40000003 syscall=5 success=yes exit=3 a0=4424fb77 a1=0 a2=0 a3=ffffffff items=1 ppid=10587 pid=10598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="selinuxenabled" exe="/usr/sbin/selinuxenabled" subj=system_u:system_r:initrc_t:s0 key=(null) type=CWD msg=audit(1204313263.897:1829996): cwd="/" 4. I once manually ran fixfiles. When did I run this? I don't remember the sequence. Thank for the help. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
