slcoit
asked on
"kernel: audit" message recurring in /var/log/messages
Running RHEL4 2.6.9-55.0.2.ELhugemem on Dell PowerEdge 6850.
Constantly getting "kernel: audit" messages in my /var/log/messages file.
Running a Library application database with patrons accessing through web interface.
Would like to clean these messages out of my log. How do I do that?
Sample of messages:
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10474 ): avc: denied { search } for
pid=16634 comm="httpd" name="WWW" dev=dm-12 ino=1101085 scontext=root:system_r:htt pd_t t
context=user_u:object_r:fi le_t tclass=dir
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10475 ): avc: denied { getattr } for
pid=16634 comm="httpd" name="WWW" dev=dm-12 ino=1101085 scontext=root:system_r:htt pd_t
tcontext=user_u:object_r:f ile_t tclass=dir
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10476 ): avc: denied { getattr } for
pid=16634 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:system_r:htt
pd_t tcontext=user_u:object_r:f ile_t tclass=file
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10477 ): avc: denied { read } for pi
d=16634 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:system_r:htt pd_
t tcontext=user_u:object_r:f ile_t tclass=file
Feb 8 06:01:17 dat2 kernel: audit(1202468477.267:10478 ): avc: denied { execute } for
pid=7229 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:system_r:htt p
d_t tcontext=user_u:object_r:f ile_t tclass=file
Feb 8 06:01:17 dat2 kernel: audit(1202468477.267:10479 ): avc: denied { execute_no_tra
ns } for pid=7229 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:syst
em_r:httpd_t tcontext=user_u:object_r:f ile_t tclass=file
Feb 8 06:01:17 dat2 kernel: audit(1202468477.270:10480 ): avc: denied { search } for
pid=7229 comm="cgisirsi" name="sirsi" dev=dm-12 ino=868353 scontext=root:system_r:htt pd_
t tcontext=root:object_r:fil e_t tclass=dir
Constantly getting "kernel: audit" messages in my /var/log/messages file.
Running a Library application database with patrons accessing through web interface.
Would like to clean these messages out of my log. How do I do that?
Sample of messages:
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10474
pid=16634 comm="httpd" name="WWW" dev=dm-12 ino=1101085 scontext=root:system_r:htt
context=user_u:object_r:fi
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10475
pid=16634 comm="httpd" name="WWW" dev=dm-12 ino=1101085 scontext=root:system_r:htt
tcontext=user_u:object_r:f
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10476
pid=16634 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:system_r:htt
pd_t tcontext=user_u:object_r:f
Feb 8 06:01:17 dat2 kernel: audit(1202468477.264:10477
d=16634 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:system_r:htt
t tcontext=user_u:object_r:f
Feb 8 06:01:17 dat2 kernel: audit(1202468477.267:10478
pid=7229 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:system_r:htt
d_t tcontext=user_u:object_r:f
Feb 8 06:01:17 dat2 kernel: audit(1202468477.267:10479
ns } for pid=7229 comm="httpd" name="cgisirsi" dev=dm-12 ino=1720325 scontext=root:syst
em_r:httpd_t tcontext=user_u:object_r:f
Feb 8 06:01:17 dat2 kernel: audit(1202468477.270:10480
pid=7229 comm="cgisirsi" name="sirsi" dev=dm-12 ino=868353 scontext=root:system_r:htt
t tcontext=root:object_r:fil
ASKER
I don't believe disabling SELinux is what I want to do.
I saw somewhere that the roles that are assigned to objects, such as root:syst
em_r:httpd_t tcontext=user_u:object_r:f ile_t tclass=file in the messages, could be the problem.
My problem is that I do not know what the correct roles should be and where to change them.
I would like to correct the situation and still have SELinux working.
I saw somewhere that the roles that are assigned to objects, such as root:syst
em_r:httpd_t tcontext=user_u:object_r:f
My problem is that I do not know what the correct roles should be and where to change them.
I would like to correct the situation and still have SELinux working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
change in /etc/selinux/config
SELINUX=permissive
to
SELINUX=disabled
then reboot