auditd Problem, need to boot system wiht Level 1
 

Hi,
I am using fedora 10, and the auditd failed to start, so i am unable to login, for that i want to login with level 1, can some one tell me how to do it? or is there any solution to get in the system?

On bootup in GRUB add (w/o outer quotes) "enforcing=0 1" as last argument to your kernels boot arguments. The "enforcing=0" disables SE Linux until rebooted and " 1" signals the machine to enter single user runlevel 1. Check the systems logs why Auditd does not want to start and please post exact error messages if any.

Thanks, I am able to login using enforcing=0 1. and I have changed the owner and the rights of audit.log but sill same issue.

I remembed what I did so this problme is coming. I logged in with root through gnome. in that i select the properties of '/' i.e file system, and given permission to every one even for all subdirecotry of '/' :(

There's a few fatal flaws there. First of all you should not (need to) log in as root, root does not need any X sessions and changing permissions to alleviate problems certainly is the wrong way to do things (which you already found out the hard way yourself). Please familiarise yourself with operating a GNU/Linux system using the documents that came with your installation, the documents on the CentOS site and those on the site of Red Hat.

To get things back in order you could try 'rpm --setperms filesystem' to restore topdir perms then 'rpm -qa 2>/dev/null|xargs rpm --setperms' to do the same for all other installed packages.

I have tried 'rpm --setperms filesystem' then 'rpm -qa 2>/dev/null|xargs rpm --setperms' but still problem is there.

What does 'rpm -qV audit' return? Are there any errors in /varlog/messages?

[root@xpro blackperl]# rpm -qV audit
.M...... /sbin/audispd
.M...... /sbin/auditctl
.M...... /sbin/auditd
.M...... /sbin/aureport
.M...... /sbin/ausearch
.M...... /sbin/autrace
.M...... d /usr/share/doc/audit-1.7.12/COPYING
.M...... d /usr/share/doc/audit-1.7.12/ChangeLog
.M...... d /usr/share/doc/audit-1.7.12/README
.M...... d /usr/share/doc/audit-1.7.12/auditd.cron
.M...... d /usr/share/doc/audit-1.7.12/capp.rules
.M...... d /usr/share/doc/audit-1.7.12/lspp.rules
.M...... d /usr/share/doc/audit-1.7.12/nispom.rules
.M...... d /usr/share/doc/audit-1.7.12/stig.rules
.M...... /var/log/audit

I am sorry but did not understand most of it. I have searched for auditd and found this

Mar 23 00:27:14 xpro kernel: type=1400 audit(1237748234.566:291): avc: denied { getattr } for pid=3829 comm="rpm" path="/etc/audit" dev=dm-0 ino=2638764 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=dir


I am able to login with GDM. but it's not a normal way
1. Edit the grub with to enforcing=0 1
2. type exit command
3. restarts everything
4. again auditd failes
5. enter login id pwd and login.. but it's not the solution:(

Thanks for all of your help. what should i do next.

The ".M......" lines say 'rpm -qa 2>/dev/null|xargs rpm --setperms' has not run correctly. This must be done again. If you think it might be easier, you could boot your installer CD (or any Live CD), chroot to the mounted system and run things from there.

I have executed rpm -qV audit again, now no output is coming from it. I am able to start the system with enforcing=0. but SE Linux throws many massages every time I login, and login take time to load.

Thanks for your help

Well, you're getting somewhere...


Since it's in permissive mode that's OK. But I wonder what else you did except change diretory permissions. Do all services start OK now? Post some errors?