From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditd reconfigure using SIGHUP Date: Fri, 06 Jan 2017 11:44:21 -0500 Message-ID: <2504845.tOagdOxZuC@x2> References: <1534655.ELJPxH09fV@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Bhagwat, Shriniketan Manjunath" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Hello, On Friday, January 6, 2017 6:29:59 AM EST Bhagwat, Shriniketan Manjunath wrote: > In my last email I missed mentioning the fix that I have implemented. > > Issue 1) As you said, I have fixed it by replacing the ev_signal by > ev_child as below. > > struct ev_child sigchld_watcher; > > ev_child_init (&sigchld_watcher, child_handler, 0, 0); > ev_child_start (EV_DEFAULT_ &sigchld_watcher); > > static void child_handler(EV_P_ ev_child *w, int revents) > { > int pid; > > if (w->rpid == dispatcher_pid()) { > dispatcher_reaped(); > } > } I tried this as a first step yesterday but what happens is the problem gets worse. It thinks the dispatcher is running all the time and never tries to restart it. > Issue 2) In auditd.c main(), child_handler is registered not immediately > after init_dispatcher() is called. I have modified the audit to register > ev_child immediately after init_dispatcher() as below. Or maybe before > calling init_dispatcher(). This fixed issue 2 for me. Below extract is from > documentation of libev for ev_child: " It is permissible to install a child > watcher after the child has been forked (which implies it might have > already exited), as long as the event loop isn't entered (or is continued > from a watcher), i.e., forking and then immediately registering a watcher > for the child is fine, but forking and registering a watcher a few event > loop iterations later or in the next callback invocation is not." > > if (init_dispatcher(&config)) { > if (pidfile) > unlink(pidfile); > tell_parent(FAILURE); > return 1; > } > ev_child_init (&sigchld_watcher, child_handler, 0, 0); > ev_child_start (EV_DEFAULT_ &sigchld_watcher); > > Issue 3) With the above fix for issue 2, I did not see the issue 3 getting > occurred for me. This could be because shutdown_dispatcher() is called from > dispatcher_reaped() where the status on the pipe is not checked. Using the above code I still see the descriptor getting stepped on by something. I have added some debug info to audispd in svn which makes the problem more clear. Jan 6 11:43:13 audispd: Failed setting up input(Bad file descriptor, -1), exiting In case anyone else wishes to have a regression test, here's some code: #!/bin/sh while [ 1 ] do echo "disabling sedispatch" sed -i '/active/s/yes/no/' /etc/audisp/plugins.d/sedispatch.conf kill -HUP `pidof auditd` sleep 10 pstree -p `pidof auditd` echo "enabling sedispatch" sed -i '/active/s/no/yes/' /etc/audisp/plugins.d/sedispatch.conf kill -HUP `pidof auditd` sleep 10 pstree -p `pidof auditd` done Of course you might want to change the plugin that's being altered to something else. -Steve