auditd shutdown issue

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

* auditd shutdown issue
@ 2007-05-07 15:18 Bill O'Donnell
  2007-05-07 15:56 ` Bill O'Donnell
  0 siblings, 1 reply; 5+ messages in thread
From: Bill O'Donnell @ 2007-05-07 15:18 UTC (permalink / raw)
  To: linux-audit

Probably a FAQ, but I'm having some trouble stopping a system running 
auditd.

Installed RHEL5 on X86-64 architecture presumably using default installation 
parameters.  Worked fine, booted fine, but when I shutdown (using init 0, halt, 
etc.) the system starts scrolling pages and pages of the following messages 
when it stops the auditd.  The only way out is to power the system off or 
restart auditd.
-----------------
The system is going down for system halt NOW!
[root@skynet15 ~Shutting down smartd: [  OK  ]
Shutting down Avahi daemon: [  OK  ]
Stopping HAL daemon: [  OK  ]
----------------

Any help is appreciated.
Thx -
Bill

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: auditd shutdown issue
  2007-05-07 15:18 auditd shutdown issue Bill O'Donnell
@ 2007-05-07 15:56 ` Bill O'Donnell
  2007-05-07 16:12   ` Steve Grubb
  0 siblings, 1 reply; 5+ messages in thread
From: Bill O'Donnell @ 2007-05-07 15:56 UTC (permalink / raw)
  To: linux-audit

whoops, forgot the rest of the output:
---------------
Stopping yum-updatesd: [  OK  ]
Stopping anacron: [  OK  ]
Stopping atd: [  OK  ]
Stopping cups: [  OK  ]
Stopping hpiod: [  OK  ]
Stopping hpssd: [  OK  ]
Shutting down xfs: [  OK  ]
Shutting down console mouse services: [  OK  ]
Stopping sshd: [  OK  ]
Shutting down sm-client: [  OK  ]
Shutting down sendmail: [  OK  ]

/etc/rc0.d/K50esp: line 109: [: localhost: binary operator expected
Stopping acpi daemon: [  OK  ]
Stopping crond: [  OK  ]
Shutting down RPC idmapd: [  OK  ]
Stopping autofs:  Stopping automount: [  OK  ]
[  OK  ]
Stopping system message bus: [  OK  ]
Stopping NFS statd: [  OK  ]
Stopping mcstransd: [  OK  ]
Stopping portmap: [  OK  ]
Stopping auditd:audit(1178276231.766:704): avc:  denied  { write } for
pid=2911
 comm="auditd" name="log" dev=tmpfs ino=10195
scontext=system_u:system_r:auditd_
t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
 audit(1178276231.766:705): audit_pid=0 old=ystem_r:klogd_t:s0 key=(null)
 <5>audit("log" dev=tmpfs ino==(>audit(1178276231.850:1364): avc:  deniite }
for
 pid=3501 comm="klogd" name="ltmpfs ino=10195 scontext=system_u:system_t:s0
tcon
text=system_u:object_r:devicelass=sock_file
<5>audit(1178276231.891:rch=c000003e syscall=42 success=no exit1
a1=55555575b960
 a2=a a3=7fff7d41b1f3 ppid=1 pid=3501 auid=4294967295 uid=0 gi=0 suid=0
fsuid=0
egid=0 sgid=0 fsgid=0 e) comm="klogd" exe="/sbin/klogd"
subj=:system_r:klogd_t:s
0 key=(null)
<5>audi6231.963:4203): avc:  denied  { write }d=3501 comm="klogd" name="log"
dev
=tmpf195
scontext=system_u:system_r:klogd_t:sxt=system_u:object_r:device_t:s0 tc
lass=e
<5>audit(1178276232.004:5235): arch= syscall=42 success=no exit=-13 a0=1
a15b960
 a2=a a3=7fff7d41b1f3 items=0 ppid501 auid=4294967295 uid=0 gid=0 euid=0
suid=0
egid=0 sgid=0 fsgid=0 tty=(none) cgd" exe="/sbin/klogd"
subj=system_u:sysogd_t:s
0 key=(null)
<5>audit(11782762342): avc:  denied  { write } for  pid=35"klogd" name="log"
dev
=tmpfs ino=10195 =system_u:system_r:klogd_t:s0
tcontext=sobject_r:device_t:s0 tc
lass=sock_file
(1178276232.117:8074): arch=c000003e syssuccess=no exit=-13 a0=1
a1=55555575b963
=7fff7d41b1f3 items=0 ppid=1 pid=3501 4967295 uid=0 gid=0 euid=0 suid=0
fsuid= s
gid=0 fsgid=0 tty=(none) comm="klogd" in/klogd"
subj=system_u:system_r:klogd_=(n
ull)
<5>audit(1178276232.179:9623): nied  { write } for  pid=3501
comm="klogd41b1f3 i
tems=0 ppid=1 pid=3501 auid=42967295 uid=0 gid=0 euid=0 suid=0 fsuid=0gid=0
sgid
=0 fsgid=0 tty=(none) comm="kgd" exe="/sbin/klogd"
subj=system_u:sysm_r:klogd_t:
s0 key=(null)
<5>audit(11786232.251:11424): avc:  denied  { write }or  pid=3501
comm="klogd" n
ame="log" detmpfs ino=10195 scontext=system_u:syster:klogd_t:s0
tcontext=system_
u:object_r:vice_t:s0 tclass=sock_file
<5>audit(18276232.302:12709): arch=c000003e syscall2 success=no exit=-13
a0=1 a1
.
.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: auditd shutdown issue
  2007-05-07 15:56 ` Bill O'Donnell
@ 2007-05-07 16:12   ` Steve Grubb
  2007-05-07 16:38     ` Bill O'Donnell
  0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2007-05-07 16:12 UTC (permalink / raw)
  To: linux-audit

On Monday 07 May 2007 11:56, Bill O'Donnell wrote:
> Stopping auditd:audit(1178276231.766:704): avc:  denied  { write } for
> pid=2911 comm="auditd" name="log" dev=tmpfs ino=10195
> scontext=system_u:system_r:auditd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file 

This would seem to indicate you have a mislabeled system. You should not have 
a label of device_t type unless you have hardware we've not seen. Without 
knowing more about how you got in this situation, its hard to say exactly 
what the problem is. I'd start by relabeling your system.

-Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: auditd shutdown issue
  2007-05-07 16:12   ` Steve Grubb
@ 2007-05-07 16:38     ` Bill O'Donnell
  2007-05-07 17:10       ` Steve Grubb
  0 siblings, 1 reply; 5+ messages in thread
From: Bill O'Donnell @ 2007-05-07 16:38 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

On Mon, May 07, 2007 at 12:12:52PM -0400, Steve Grubb wrote:
| On Monday 07 May 2007 11:56, Bill O'Donnell wrote:
| > Stopping auditd:audit(1178276231.766:704): avc:  denied  { write } for
| > pid=2911 comm="auditd" name="log" dev=tmpfs ino=10195
| > scontext=system_u:system_r:auditd_t:s0
| > tcontext=system_u:object_r:device_t:s0 tclass=sock_file 
| 
| This would seem to indicate you have a mislabeled system. You should not have 
| a label of device_t type unless you have hardware we've not seen. Without 
| knowing more about how you got in this situation, its hard to say exactly 
| what the problem is. I'd start by relabeling your system.

It is quite likely this is hardware that is new to SELinux.  We're going
ahead with relabeling.  Is there another log somewhere that can indicate the
success, or lack thereof, of the labeling?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: auditd shutdown issue
  2007-05-07 16:38     ` Bill O'Donnell
@ 2007-05-07 17:10       ` Steve Grubb
  0 siblings, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2007-05-07 17:10 UTC (permalink / raw)
  To: Bill O'Donnell; +Cc: linux-audit

On Monday 07 May 2007 12:38, Bill O'Donnell wrote:
> Is there another log somewhere that can indicate the
> success, or lack thereof, of the labeling?

dmesg should have the results. There should be an audit event of type 
AUDIT_FS_RELABEL somewhere with "res" field indicating status.

-Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2007-05-07 17:10 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-07 15:18 auditd shutdown issue Bill O'Donnell
2007-05-07 15:56 ` Bill O'Donnell
2007-05-07 16:12   ` Steve Grubb
2007-05-07 16:38     ` Bill O'Donnell
2007-05-07 17:10       ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox