Bug 152733

Summary: auditd initscript should handle missing kernel module better
Product: [openSUSE] SUSE Linux 10.1 Reporter: Andreas Kleen <ak>
Component: AppArmorAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Dominic W Reynolds <dreynolds>
Severity: Normal    
Priority: P5 - None CC: suse-beta
Version: Beta 3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Kleen 2006-02-22 11:13:58 UTC 
When I boot a kernel without apparmor support I get some nasty error
messages at boot. IMHO the case of people running their own self 
compiled kernels should be handled more gratefully

Starting auditd Error sending rule list request (Connection refused)
Error sending watch list request (Connection refused)
Error sending rule list request (Connection refused)
Error sending watch list request (Connection refused)
There was an error in line 7 of /etc/audit.rules
                                                                      failed

/etc/audit.rules is all ok as far as I can tell. Ideally I would it
to just give an one line warning and then vanish without trace
if the kernel doesn't support armor.
Comment 1 Tony Jones 2006-02-24 15:55:34 UTC 
Andi: This doesn't seem to have anything to do with AppArmor.

Are you sure your custom kernel has audit support compiled in.  From the errors it looks like it does not or there is some versioning issue that is preventing the userland audit daemon from communicating with the kernel.

Now, auditd could be a lot less noisy in this case,  if this is the complaint, can you refile against the audit component.
Comment 2 Andreas Kleen 2006-02-24 16:09:16 UTC 
No it hasn't apparmor compiled in. That was the whole point of the bug - 
the user land should handle that gratefully instead of spreading lies 
about the configuration files.

I don't see a "audit component" in bugzilla so I'm leaving the bug to you.
Comment 3 Tony Jones 2006-02-24 18:54:23 UTC 
I understand that your kernel doesn't have AppArmor compiled in.

But this isn't whats causing the problem.

I believe your kernel doesn't have audit support compiled in EITHER.

There is no connection between AppArmor and audit,  other than AppArmor
is a user of the audit subsystem.

I don't think the belongs against AppArmor, though I understand we
are the nearest target.
Comment 4 Andreas Kleen 2006-02-24 18:58:59 UTC 
Ok please reassign then to whoever maintains the audit userland. I don't 
know what that is.
Comment 5 Tony Jones 2006-02-24 20:51:36 UTC 
Reassigned to the audit maintainer.
Comment 6 Marcus Meissner 2006-03-06 13:36:00 UTC 
I reduced the connection refused lines now.

should I reduce the "There was an error in line 7 of /etc/audit.rules" too?

this is a bit harder ;)
Comment 7 Andreas Kleen 2006-03-06 13:42:29 UTC 
Yes please - that is the more serious issue because it's actually wrong.
Comment 8 Marcus Meissner 2006-03-20 15:56:50 UTC 
it now just says "failed" when doing rcauditd start.

hope this is well :)