FedoraForum.org - Fedora Support Forums and Community
Results 1 to 8 of 8
  1. #1
    Join Date
    Jun 2007
    Posts
    97

    Angry Strange audit messages

    hi
    after updating to kde357 (using fc7) and installing and deinstalling seedit-*** i got lots of the following messages when shutting down:
    ----------------------------------------------
    Jul 2 22:26:34 localhost auditd[1776]: The audit daemon is exiting.
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:95): audit_pid=0 old=1776 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:96): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit rule for selinux 'dhclient_t' is invalid
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:97): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:98): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit rule for selinux 'mcstransd_t' is invalid
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:99): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:100): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:101): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit rule for selinux 'samba_t' is invalid
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:102): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:103): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:104): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:105): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:106): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:107): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:108): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    Jul 2 22:26:34 localhost kernel: audit(1183407994.408:109): auid=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove rule key=(null) list=4 res=1
    -----------------------------------------------------------------


    I also now have problems with the combination "fn+sound up/down". I've anabled the "microsoft natural pro/ internet pro" keyboard layout but it doesn't function anymore. and when trying to use the combination "fn+sound up/down" I just see the dialog going from 0 upto 11% but this doesn't reflect the actuall volume level. in kde 356 it was ok and all keyboard shortcuts were functioning ok.

  2. #2
    Join Date
    Jun 2007
    Posts
    97
    has anybody a solution? Anyone?

  3. #3
    Join Date
    Jul 2007
    Posts
    2
    Same thing happens here. I have also tried setting the policy back to "targeted" from seedit (which seedit automatically switched when it was installed) and re-labelling the entire filesystem. After all of that, I finally got my system to boot, but the error messages described above are present and when SELinux is set to "enforcing," audispd eats up all the CPU usage starting a few seconds from boot.

    I'm not familiar with SELinux audit syntax , but this part of the error message:
    op=remove rule key=(null)
    seems like it's trying to remove a "null" rule key, which I'm guessing wasn't present before seedit was installed and uninstalled.

    My guess is that the seedit policy and targeted policy overlap but are not mutually inclusive. When the "targeted" policy is reinstalled and relabels the filesystem, I suspect it only fixes the files that the targeted policy applies to and leaves the seedit (but not targeted) ones intact. Just a theory.

    Does anyone know how an autorelabel works? Does it "fix" all of the files or just some of the files? Any advice from someone who knows something about SELinux?

  4. #4
    Join Date
    Jun 2007
    Posts
    97
    Quote Originally Posted by liquidsunshine
    Same thing happens here. I have also tried setting the policy back to "targeted" from seedit (which seedit automatically switched when it was installed) and re-labelling the entire filesystem. After all of that, I finally got my system to boot, but the error messages described above are present and when SELinux is set to "enforcing," audispd eats up all the CPU usage starting a few seconds from boot.

    I'm not familiar with SELinux audit syntax , but this part of the error message:
    op=remove rule key=(null)
    seems like it's trying to remove a "null" rule key, which I'm guessing wasn't present before seedit was installed and uninstalled.

    My guess is that the seedit policy and targeted policy overlap but are not mutually inclusive. When the "targeted" policy is reinstalled and relabels the filesystem, I suspect it only fixes the files that the targeted policy applies to and leaves the seedit (but not targeted) ones intact. Just a theory.

    Does anyone know how an autorelabel works? Does it "fix" all of the files or just some of the files? Any advice from someone who knows something about SELinux?
    i've filed a bug report about this. here->https://bugzilla.redhat.com/bugzilla....cgi?id=246616

  5. #5
    Join Date
    Jul 2007
    Posts
    2

    Talking

    Ok, after much fiddling around with it, I found a solution on my system. What tipped me off was the errors in dmesg. They all began with "inode_doinit_with_dentry" and referenced /var/tmp (was more like _var_tmp_ or something). Remembering that SELinux almost always gets temporary file contexts wrong, I completely cleaned out /tmp and /var/tmp. When I rebooted, everything was fine. When I set SELinux to enforcing and rebooted, everything was fine, including audispd.

    I think that's the main solution, but I also did a complete relabel of the filesystem, including customizable files, using the command:
    [as root] restorecon -RvF /
    This might be something to try as well if the above doesn't work.

    Also, check /etc/audit/audit.rules for problems; I had to clean out all of the things below the line below at one point:
    # Feel free to add below this line. See auditctl man page

    Still, I'm ticked off at seedit for screwing all of this up in the first place. It shouldn't arbitrarily install its own policy by default; it should at least warn you that doing so can cause many problems.

    I hope this helps! If not, post back and I'll see if I can help you some more.

  6. #6
    Join Date
    Jun 2007
    Posts
    97
    Quote Originally Posted by liquidsunshine
    Ok, after much fiddling around with it, I found a solution on my system. What tipped me off was the errors in dmesg. They all began with "inode_doinit_with_dentry" and referenced /var/tmp (was more like _var_tmp_ or something). Remembering that SELinux almost always gets temporary file contexts wrong, I completely cleaned out /tmp and /var/tmp. When I rebooted, everything was fine. When I set SELinux to enforcing and rebooted, everything was fine, including audispd.

    I think that's the main solution, but I also did a complete relabel of the filesystem, including customizable files, using the command:
    [as root] restorecon -RvF /
    This might be something to try as well if the above doesn't work.

    Also, check /etc/audit/audit.rules for problems; I had to clean out all of the things below the line below at one point:
    # Feel free to add below this line. See auditctl man page

    Still, I'm ticked off at seedit for screwing all of this up in the first place. It shouldn't arbitrarily install its own policy by default; it should at least warn you that doing so can cause many problems.

    I hope this helps! If not, post back and I'll see if I can help you some more.
    Well, i just deleted all the rules after "# Feel free to add below this line. See auditctl man page" in /etc/audit/audit.conf and restarted audit. no reboot, no relable or anything and it was fine, no strange messages at exit. Just one but i think it is from the audit service itself and it says that the service has exited.

    anyway a warning message before istalling SEEdit should be added!

  7. #7
    Join Date
    Nov 2006
    Location
    The bowels of hell, and Redmond
    Posts
    250

    Exclamation Seedit Suxit Big Time!!

    This is a great thread, and I learned a lot from it, but this one thing messed me up pretty good...

    Quote Originally Posted by liquidsunshine
    ... Remembering that SELinux almost always gets temporary file contexts wrong, I completely cleaned out /tmp and /var/tmp. When I rebooted, everything was fine. When I set SELinux to enforcing and rebooted, everything ...
    To me cleaning out the entire directory means just that, removing everything. One should NOT do that as the user config files are saved in the /var/tmp, of all places to save important stuff! Grrr. well, if you have to go through all that and you have deleted everything, I was able to create a new user and then boot into the new account and copy over all my important stuff from the old home dir.

    There is a process that will go clean out the tmp dirs for you, it just happens on its own schedule...

    HTH
    Last edited by resistor200; 28th September 2007 at 06:25 AM.
    [food for thought]
    Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!

  8. #8
    Join Date
    Jun 2007
    Posts
    97
    Quote Originally Posted by resistor200
    This is a great thread, and I learned a lot from it, but this one thing messed me up pretty good...



    To me cleaning out the entire directory means just that, removing everything. One should NOT do that as the user config files are saved in the /var/tmp, of all places to save important stuff! Grrr. well, if you have to go through all that and you have deleted everything, I was able to create a new user and then boot into the new account and copy over all my important stuff from the old home dir.

    There is a process that will go clean out the tmp dirs for you, it just happens on its own schedule...

    HTH
    I deleted the whole /var directory, so there was no way that the system could repair itself. even a new installation from the dvd couldn't help. the rpm database was gone and the only meaningful solution for me was a complete new install.

    But that happened loooong time ago and I think I've learned my lesson: "DON'T solve your problems with
    Code:
    rm -rf /
    " and "Read twice before doing something"

Similar Threads

  1. kernel audit - /var/log/messages
    By timinator in forum Security and Privacy
    Replies: 0
    Last Post: 13th November 2007, 06:39 PM
  2. Selinux - audit messages
    By yeauch in forum Using Fedora
    Replies: 3
    Last Post: 14th July 2005, 02:59 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •