Hello,
I have a weird problem with auditd, it refuses to start from using service command or from /etc/init.d/. I am running RHEL 5 Desktop.
Code:
[root@rtcs-server BC3]# /sbin/service auditd start
Starting auditd: [FAILED]
Code:
[root@rtcs-server BC3]# /sbin/service auditd start
Starting auditd: [FAILED]
syslog shows the following messages:
Code:
Oct 21 13:47:46 rtcs-server kernel: type=1400 audit(1256147266.623:8): avc: denied { dac_override } for pid=3895 comm="auditd" capability=1 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Oct 21 13:47:46 rtcs-server kernel: type=1400 audit(1256147266.623:9): avc: denied { dac_read_search } for pid=3895 comm="auditd" capability=2 scontext=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=capability
Oct 21 13:47:46 rtcs-server auditd: Could not open dir /var/log/audit (Permission denied)
Oct 21 13:47:46 rtcs-server auditd: The audit daemon is exiting.
However, I can start auditd just fine by calling an executable:
Code:
[root@rtcs-server BC3]# /sbin/auditd
[root@rtcs-server BC3]# /etc/init.d/auditd status
auditd (pid 3938) is running...
[root@rtcs-server BC3]#
Permissions for audit log directory are:
Code:
[root@rtcs-server BC3]# ls -l /var/log/audit
total 4532
-rw-r----- 1 root root 4623267 Oct 21 13:54 audit.log
[root@rtcs-server BC3]# ls -l /var/log/ | grep audit
drw-r----- 2 root root 4096 Oct 19 10:07 audit
Which is 0640 exactly what auditd needs.
Any help would be appreciated.
