152733 – auditd initscript should handle missing kernel module better

Bug 152733 - auditd initscript should handle missing kernel module better

Summary: auditd initscript should handle missing kernel module better

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Linux 10.1
Classification:	openSUSE
Component:	AppArmor (show other bugs)
Version:	Beta 3
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Marcus Meissner
QA Contact:	Dominic W Reynolds

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2006-02-22 11:13 UTC by Andreas Kleen
Modified:	2006-03-20 15:56 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Kleen 2006-02-22 11:13:58 UTC

When I boot a kernel without apparmor support I get some nasty error
messages at boot. IMHO the case of people running their own self 
compiled kernels should be handled more gratefully

Starting auditd Error sending rule list request (Connection refused)
Error sending watch list request (Connection refused)
Error sending rule list request (Connection refused)
Error sending watch list request (Connection refused)
There was an error in line 7 of /etc/audit.rules
                                                                      failed

/etc/audit.rules is all ok as far as I can tell. Ideally I would it
to just give an one line warning and then vanish without trace
if the kernel doesn't support armor.

Comment 1 Tony Jones 2006-02-24 15:55:34 UTC

Andi: This doesn't seem to have anything to do with AppArmor.

Are you sure your custom kernel has audit support compiled in.  From the errors it looks like it does not or there is some versioning issue that is preventing the userland audit daemon from communicating with the kernel.

Now, auditd could be a lot less noisy in this case,  if this is the complaint, can you refile against the audit component.

Comment 2 Andreas Kleen 2006-02-24 16:09:16 UTC

No it hasn't apparmor compiled in. That was the whole point of the bug - 
the user land should handle that gratefully instead of spreading lies 
about the configuration files.

I don't see a "audit component" in bugzilla so I'm leaving the bug to you.

Comment 3 Tony Jones 2006-02-24 18:54:23 UTC

I understand that your kernel doesn't have AppArmor compiled in.

But this isn't whats causing the problem.

I believe your kernel doesn't have audit support compiled in EITHER.

There is no connection between AppArmor and audit,  other than AppArmor
is a user of the audit subsystem.

I don't think the belongs against AppArmor, though I understand we
are the nearest target.

Comment 4 Andreas Kleen 2006-02-24 18:58:59 UTC

Ok please reassign then to whoever maintains the audit userland. I don't 
know what that is.

Comment 5 Tony Jones 2006-02-24 20:51:36 UTC

Reassigned to the audit maintainer.

Comment 6 Marcus Meissner 2006-03-06 13:36:00 UTC

I reduced the connection refused lines now.

should I reduce the "There was an error in line 7 of /etc/audit.rules" too?

this is a bit harder ;)

Comment 7 Andreas Kleen 2006-03-06 13:42:29 UTC

Yes please - that is the more serious issue because it's actually wrong.

Comment 8 Marcus Meissner 2006-03-20 15:56:50 UTC

it now just says "failed" when doing rcauditd start.

hope this is well :)