I don't understand why it's issuing an AUDIT_SET command after it already decided to exit -- maybe it's just trying to tear itself down cleanly.
I found a few cases in the kernel code for returning both file exists and permission denied:
kernel/audit.c audit_netlink_ok():
/* Only support auditd and auditctl in initial pid namespace
* for now. */
if (task_active_pid_ns(current) != &init_pid_ns) return -EPERM;
if (!netlink_capable(skb, CAP_AUDIT_CONTROL)) err = -EPERM; break;
kernel/audit.c audit_receive_msg():
auditd_pid = auditd_pid_vnr(); if (auditd_pid) { /* replacing a healthy auditd is not allowed */ if (new_pid) { audit_log_config_change("audit_pid", new_pid, auditd_pid, 0); return -EEXIST; }
kernel/audit.c audit_set_feature():
/* are we changing a locked feature? */
if (old_lock && (new_feature != old_feature)) { audit_log_feature_change(i, old_feature, new_feature, old_lock, new_lock, 0); return -EPERM;
}
Do any of these feel applicable to your environment?
Thanks for the strace, these looked like the 'important' parts:
sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_ F_REQUEST| NLM_F_ACK, seq=3, pid=0}, "\x04\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ xa2\xb8\ x29\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00" ...}, 56, 0, {sa_family= AF_NETLINK, nl_pid=0, nl_groups= 00000000} , 12) = 56 F_REQUEST| NLM_F_ACK, seq=3, pid=0}, "\x04\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ xa2\xb8\ x29\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00" ...}}}, 8988, MSG_PEEK| MSG_DONTWAIT, {sa_family= AF_NETLINK, nl_pid=0, nl_groups= 00000000} , [12]) = 76 F_REQUEST| NLM_F_ACK, seq=3, pid=0}, "\x04\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ xa2\xb8\ x29\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00" ...}}}, 8988, MSG_DONTWAIT, {sa_family= AF_NETLINK, nl_pid=0, nl_groups= 00000000} , [12]) = 76
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242}, {error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242}, {error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_
write(2, "Error setting audit daemon pid ("..., 44Error setting audit daemon pid (File exists)) = 44
...
write(2, "The audit daemon is exiting.", 28The audit daemon is exiting.) = 28 F_REQUEST| NLM_F_ACK, seq=4, pid=0}, "\x04\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00" ...}, 56, 0, {sa_family= AF_NETLINK, nl_pid=0, nl_groups= 00000000} , 12) = 56 F_REQUEST| NLM_F_ACK, seq=4, pid=0}, "\x04\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00" ...}}}, 8988, MSG_PEEK| MSG_DONTWAIT, {sa_family= AF_NETLINK, nl_pid=0, nl_groups= 00000000} , [12]) = 76 F_REQUEST| NLM_F_ACK, seq=4, pid=0}, "\x04\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00" ...}}}, 8988, MSG_DONTWAIT, {sa_family= AF_NETLINK, nl_pid=0, nl_groups= 00000000} , [12]) = 76
write(2, "\n", 1
) = 1
sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242}, {error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242}, {error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_
write(2, "Error setting audit daemon pid ("..., 50Error setting audit daemon pid (Permission denied)) = 50
write(2, "\n", 1
) = 1
I don't understand why it's issuing an AUDIT_SET command after it already decided to exit -- maybe it's just trying to tear itself down cleanly.
I found a few cases in the kernel code for returning both file exists and permission denied:
kernel/audit.c audit_netlink_ok():
/* Only support auditd and auditctl in initial pid namespace pid_ns( current) != &init_pid_ns)
return -EPERM;
* for now. */
if (task_active_
if (!netlink_ capable( skb, CAP_AUDIT_CONTROL))
err = -EPERM;
break;
kernel/audit.c audit_receive_ msg():
kernel/audit.c audit_set_ feature( ):
/* are we changing a locked feature? */
audit_ log_feature_ change( i, old_feature, new_feature,
old_lock, new_lock, 0);
return -EPERM;
if (old_lock && (new_feature != old_feature)) {
}
Do any of these feel applicable to your environment?
Thanks