Re: audit collector startup help

All of lore.kernel.org
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: audit collector startup help
Date: Thu, 11 Sep 2008 10:48:32 -0500	[thread overview]
Message-ID: <1221148112.6559.24.camel@homeserver> (raw)
In-Reply-To: <200809092207.m89M7Dul017709@greed.delorie.com>

On Tue, 2008-09-09 at 18:07 -0400, DJ Delorie wrote:
> > Only thing I did in between was load about 100 packages needed for the
> > rebuild. Is there any chance that one of these had some necessary magic
> > I was missing?
> 
> More likely, something was holding the socket in CLOSE_WAIT or
> something and happened to time out while you were updating everything.

Actually I believe one of the packages must installed my policy as
enforcing.

Thanks(!) to an excellent setroubleshoot pop-up I believe that was my
problem:

Source Context:  unconfined_u:system_r:auditd_t:s0
Target Context:  system_u:object_r:anon_inodefs_t:s0
Target Objects:  anon_inode [ file ]
Source:  auditdSource 
Path:  /sbin/auditd
Port:  <Unknown>
Host:  fryspc
Source RPM Packages:  audit-1.7.5-1.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-87.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall_file
Host Name:  fryspc
Platform:  Linux fryspc 2.6.26.3-29.fc9.i686 #1 SMP Wed Sep 3 03:42:27 EDT 2008 i686 athlon
Alert Count:  1
First Seen:  Thu 11 Sep 2008 10:08:57 AM CDT
Last Seen:  Thu 11 Sep 2008 10:08:57 AM CDT
Local ID:  8b4ff486-ae1c-4448-bf38-9b56658ebc01
Line Numbers:  
Raw Audit Messages :
host=fryspc type=AVC msg=audit(1221145737.208:55): avc: denied { write } for pid=3280 comm="auditd" path="anon_inode:[eventfd]" dev=anon_inodefs ino=18 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file 
host=fryspc type=SYSCALL msg=audit(1221145737.208:55): arch=40000003 syscall=4 success=no exit=-13 a0=8 a1=bfb98880 a2=8 a3=b7f6aab8 items=0 ppid=1 pid=3280 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="auditd" exe="/sbin/auditd" subj=unconfined_u:system_r:auditd_t:s0 key=(null) 

### note: I do not have an MLS policy on this machine (although the
setroubleshoot summary says I do) - and I didn't change any policy
defaults.

[lenny@fryspc ~]$ rpm -qa | grep policy
checkpolicy-2.0.16-3.fc9.i386
policycoreutils-2.0.52-8.fc9.i386
selinux-policy-targeted-3.3.1-87.fc9.noarch
selinux-policy-devel-3.3.1-87.fc9.noarch
policycoreutils-gui-2.0.52-8.fc9.i386
selinux-policy-3.3.1-87.fc9.noarch


Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next prev parent reply	other threads:[~2008-09-11 15:48 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-09 18:26 audit collector startup help LC Bruzenak
2008-09-09 18:36 ` DJ Delorie
2008-09-09 18:47   ` LC Bruzenak
2008-09-09 19:25     ` DJ Delorie
2008-09-09 20:03       ` LC Bruzenak
2008-09-09 20:11         ` DJ Delorie
2008-09-09 21:52           ` LC Bruzenak
2008-09-09 21:55             ` LC Bruzenak
2008-09-09 22:07             ` DJ Delorie
2008-09-11 15:48               ` LC Bruzenak [this message]
2008-09-11 22:00                 ` audit collector connect fails LC Bruzenak
2008-09-11 22:43                   ` DJ Delorie
2008-09-11 22:53                     ` LC Bruzenak
2008-09-12 16:50   ` audit collector startup help LC Bruzenak
2008-09-12 17:14     ` DJ Delorie
2008-09-12 17:48       ` LC Bruzenak
2008-09-12 18:45         ` DJ Delorie
2008-09-12 20:17           ` LC Bruzenak
2008-09-12 20:33             ` DJ Delorie
2008-09-12 23:41               ` LC Bruzenak
2008-09-13  0:04                 ` DJ Delorie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1221148112.6559.24.camel@homeserver \
    --to=lenny@magitekltd.com \
    --cc=dj@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.