From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Bill O'Donnell" <billodo@sgi.com>
Subject: Re: auditd shutdown issue
Date: Mon, 7 May 2007 11:38:56 -0500
Message-ID: <20070507163856.GA18495@sgi.com>
References: <20070507151806.GA17862@sgi.com> <20070507155655.GA18147@sgi.com>
	<200705071212.52354.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <200705071212.52354.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Mon, May 07, 2007 at 12:12:52PM -0400, Steve Grubb wrote:
| On Monday 07 May 2007 11:56, Bill O'Donnell wrote:
| > Stopping auditd:audit(1178276231.766:704): avc: =A0denied =A0{ write =
} for
| > pid=3D2911 comm=3D"auditd" name=3D"log" dev=3Dtmpfs ino=3D10195
| > scontext=3Dsystem_u:system_r:auditd_t:s0
| > tcontext=3Dsystem_u:object_r:device_t:s0 tclass=3Dsock_file=20
|=20
| This would seem to indicate you have a mislabeled system. You should no=
t have=20
| a label of device_t type unless you have hardware we've not seen. Witho=
ut=20
| knowing more about how you got in this situation, its hard to say exact=
ly=20
| what the problem is. I'd start by relabeling your system.

It is quite likely this is hardware that is new to SELinux.  We're going
ahead with relabeling.  Is there another log somewhere that can indicate =
the
success, or lack thereof, of the labeling?