auditd shutdown issue

auditd shutdown issue

[Bill O'Donnell]

Probably a FAQ, but I'm having some trouble stopping a system running 
auditd.

Installed RHEL5 on X86-64 architecture presumably using default installation 
parameters.  Worked fine, booted fine, but when I shutdown (using init 0, halt, 
etc.) the system starts scrolling pages and pages of the following messages 
when it stops the auditd.  The only way out is to power the system off or 
restart auditd.
-----------------
The system is going down for system halt NOW!
[root@skynet15 ~Shutting down smartd: [  OK  ]
Shutting down Avahi daemon: [  OK  ]
Stopping HAL daemon: [  OK  ]
----------------

Any help is appreciated.
Thx -
Bill

Re: auditd shutdown issue

[Bill O'Donnell]

whoops, forgot the rest of the output:
---------------
Stopping yum-updatesd: [  OK  ]
Stopping anacron: [  OK  ]
Stopping atd: [  OK  ]
Stopping cups: [  OK  ]
Stopping hpiod: [  OK  ]
Stopping hpssd: [  OK  ]
Shutting down xfs: [  OK  ]
Shutting down console mouse services: [  OK  ]
Stopping sshd: [  OK  ]
Shutting down sm-client: [  OK  ]
Shutting down sendmail: [  OK  ]

/etc/rc0.d/K50esp: line 109: [: localhost: binary operator expected
Stopping acpi daemon: [  OK  ]
Stopping crond: [  OK  ]
Shutting down RPC idmapd: [  OK  ]
Stopping autofs:  Stopping automount: [  OK  ]
[  OK  ]
Stopping system message bus: [  OK  ]
Stopping NFS statd: [  OK  ]
Stopping mcstransd: [  OK  ]
Stopping portmap: [  OK  ]
Stopping auditd:audit(1178276231.766:704): avc:  denied  { write } for
pid=2911
 comm="auditd" name="log" dev=tmpfs ino=10195
scontext=system_u:system_r:auditd_
t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
 audit(1178276231.766:705): audit_pid=0 old=ystem_r:klogd_t:s0 key=(null)
 <5>audit("log" dev=tmpfs ino==(>audit(1178276231.850:1364): avc:  deniite }
for
 pid=3501 comm="klogd" name="ltmpfs ino=10195 scontext=system_u:system_t:s0
tcon
text=system_u:object_r:devicelass=sock_file
<5>audit(1178276231.891:rch=c000003e syscall=42 success=no exit1
a1=55555575b960
 a2=a a3=7fff7d41b1f3 ppid=1 pid=3501 auid=4294967295 uid=0 gi=0 suid=0
fsuid=0
egid=0 sgid=0 fsgid=0 e) comm="klogd" exe="/sbin/klogd"
subj=:system_r:klogd_t:s
0 key=(null)
<5>audi6231.963:4203): avc:  denied  { write }d=3501 comm="klogd" name="log"
dev
=tmpf195
scontext=system_u:system_r:klogd_t:sxt=system_u:object_r:device_t:s0 tc
lass=e
<5>audit(1178276232.004:5235): arch= syscall=42 success=no exit=-13 a0=1
a15b960
 a2=a a3=7fff7d41b1f3 items=0 ppid501 auid=4294967295 uid=0 gid=0 euid=0
suid=0
egid=0 sgid=0 fsgid=0 tty=(none) cgd" exe="/sbin/klogd"
subj=system_u:sysogd_t:s
0 key=(null)
<5>audit(11782762342): avc:  denied  { write } for  pid=35"klogd" name="log"
dev
=tmpfs ino=10195 =system_u:system_r:klogd_t:s0
tcontext=sobject_r:device_t:s0 tc
lass=sock_file
(1178276232.117:8074): arch=c000003e syssuccess=no exit=-13 a0=1
a1=55555575b963
=7fff7d41b1f3 items=0 ppid=1 pid=3501 4967295 uid=0 gid=0 euid=0 suid=0
fsuid= s
gid=0 fsgid=0 tty=(none) comm="klogd" in/klogd"
subj=system_u:system_r:klogd_=(n
ull)
<5>audit(1178276232.179:9623): nied  { write } for  pid=3501
comm="klogd41b1f3 i
tems=0 ppid=1 pid=3501 auid=42967295 uid=0 gid=0 euid=0 suid=0 fsuid=0gid=0
sgid
=0 fsgid=0 tty=(none) comm="kgd" exe="/sbin/klogd"
subj=system_u:sysm_r:klogd_t:
s0 key=(null)
<5>audit(11786232.251:11424): avc:  denied  { write }or  pid=3501
comm="klogd" n
ame="log" detmpfs ino=10195 scontext=system_u:syster:klogd_t:s0
tcontext=system_
u:object_r:vice_t:s0 tclass=sock_file
<5>audit(18276232.302:12709): arch=c000003e syscall2 success=no exit=-13
a0=1 a1
.
.

Re: auditd shutdown issue

[Steve Grubb]

On Monday 07 May 2007 11:56, Bill O'Donnell wrote:
> Stopping auditd:audit(1178276231.766:704): avc:  denied  { write } for
> pid=2911 comm="auditd" name="log" dev=tmpfs ino=10195
> scontext=system_u:system_r:auditd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file 

This would seem to indicate you have a mislabeled system. You should not have 
a label of device_t type unless you have hardware we've not seen. Without 
knowing more about how you got in this situation, its hard to say exactly 
what the problem is. I'd start by relabeling your system.

-Steve

Re: auditd shutdown issue

[Bill O'Donnell]

On Mon, May 07, 2007 at 12:12:52PM -0400, Steve Grubb wrote:
| On Monday 07 May 2007 11:56, Bill O'Donnell wrote:
| > Stopping auditd:audit(1178276231.766:704): avc:  denied  { write } for
| > pid=2911 comm="auditd" name="log" dev=tmpfs ino=10195
| > scontext=system_u:system_r:auditd_t:s0
| > tcontext=system_u:object_r:device_t:s0 tclass=sock_file 
| 
| This would seem to indicate you have a mislabeled system. You should not have 
| a label of device_t type unless you have hardware we've not seen. Without 
| knowing more about how you got in this situation, its hard to say exactly 
| what the problem is. I'd start by relabeling your system.

It is quite likely this is hardware that is new to SELinux.  We're going
ahead with relabeling.  Is there another log somewhere that can indicate the
success, or lack thereof, of the labeling?

Re: auditd shutdown issue

[Steve Grubb]

On Monday 07 May 2007 12:38, Bill O'Donnell wrote:
> Is there another log somewhere that can indicate the
> success, or lack thereof, of the labeling?

dmesg should have the results. There should be an audit event of type 
AUDIT_FS_RELABEL somewhere with "res" field indicating status.

-Steve