From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: audit collector startup help Date: Thu, 11 Sep 2008 10:48:32 -0500 Message-ID: <1221148112.6559.24.camel@homeserver> References: <1220984797.6596.162.camel@homeserver> <200809091836.m89IatSW011688@greed.delorie.com> <1220986021.6596.167.camel@homeserver> <200809091925.m89JPmTd013185@greed.delorie.com> <1220990608.6596.200.camel@homeserver> <200809092011.m89KBshr014405@greed.delorie.com> <1220997150.6596.217.camel@homeserver> <200809092207.m89M7Dul017709@greed.delorie.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200809092207.m89M7Dul017709@greed.delorie.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: DJ Delorie Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, 2008-09-09 at 18:07 -0400, DJ Delorie wrote: > > Only thing I did in between was load about 100 packages needed for the > > rebuild. Is there any chance that one of these had some necessary magic > > I was missing? > > More likely, something was holding the socket in CLOSE_WAIT or > something and happened to time out while you were updating everything. Actually I believe one of the packages must installed my policy as enforcing. Thanks(!) to an excellent setroubleshoot pop-up I believe that was my problem: Source Context: unconfined_u:system_r:auditd_t:s0 Target Context: system_u:object_r:anon_inodefs_t:s0 Target Objects: anon_inode [ file ] Source: auditdSource Path: /sbin/auditd Port: Host: fryspc Source RPM Packages: audit-1.7.5-1.fc9 Target RPM Packages: Policy RPM: selinux-policy-3.3.1-87.fc9 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall_file Host Name: fryspc Platform: Linux fryspc 2.6.26.3-29.fc9.i686 #1 SMP Wed Sep 3 03:42:27 EDT 2008 i686 athlon Alert Count: 1 First Seen: Thu 11 Sep 2008 10:08:57 AM CDT Last Seen: Thu 11 Sep 2008 10:08:57 AM CDT Local ID: 8b4ff486-ae1c-4448-bf38-9b56658ebc01 Line Numbers: Raw Audit Messages : host=fryspc type=AVC msg=audit(1221145737.208:55): avc: denied { write } for pid=3280 comm="auditd" path="anon_inode:[eventfd]" dev=anon_inodefs ino=18 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file host=fryspc type=SYSCALL msg=audit(1221145737.208:55): arch=40000003 syscall=4 success=no exit=-13 a0=8 a1=bfb98880 a2=8 a3=b7f6aab8 items=0 ppid=1 pid=3280 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="auditd" exe="/sbin/auditd" subj=unconfined_u:system_r:auditd_t:s0 key=(null) ### note: I do not have an MLS policy on this machine (although the setroubleshoot summary says I do) - and I didn't change any policy defaults. [lenny@fryspc ~]$ rpm -qa | grep policy checkpolicy-2.0.16-3.fc9.i386 policycoreutils-2.0.52-8.fc9.i386 selinux-policy-targeted-3.3.1-87.fc9.noarch selinux-policy-devel-3.3.1-87.fc9.noarch policycoreutils-gui-2.0.52-8.fc9.i386 selinux-policy-3.3.1-87.fc9.noarch Thx, LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com