Could not open dir /var/log/audit (Permission denied)

On a Redhat Linux 8 system, the /var/log/audit is mounted on a dedicated partition. Somehow the size of it was allocated quite small. And we needed to increase it.

After it was remounted to a bigger partition, auditd would not start. Tried to manually start the service and got the exit status code 6

root@joetest01:/var/log# systemctl start auditd
Job for auditd.service failed because the control process exited with error code.
See "systemctl status auditd.service" and "journalctl -xe" for details.

root@joetest01:/var/log# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2021-12-02 20:22:49 EST; 4min 4s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 1695914 ExecStart=/sbin/auditd (code=exited, status=6)
Dec 02 20:22:49 joetest01 systemd[1]: Starting Security Auditing Service…
Dec 02 20:22:49 joetest01 systemd[1]: auditd.service: Control process exited, code=exited status=6
Dec 02 20:22:49 joetest01 systemd[1]: auditd.service: Failed with result 'exit-code'.
Dec 02 20:22:49 joetest01 systemd[1]: Failed to start Security Auditing Service.

I Then tried to start the audit daemo from the command line to see if it would output something that was more useful.

/sbin/auditd -f

The command above will put it in debug mode where it write more info to stdout.

Also used “journalctl -xe” to see logs and saw “Permission denied” error.

root@joetest01:/var/log# journalctl -xe
Dec 02 20:22:49 joetest01 systemd[1]: Starting Security Auditing Service…
-- Subject: Unit auditd.service has begun start-up
-- Defined-By: systemd-- Unit auditd.service has begun starting up.
Dec 02 20:22:49 joetest01 kernel: kauditd_printk_skb: 1 callbacks suppressed
Dec 02 20:22:49 joetest01 kernel: audit: type=1400 audit(1638494569.921:9146): avc: denied { read } for pid=1695914 comm="auditd" name="/" dev="sda7" ino=128 scontext=system_u:system_r:auditd_t:s0 tconte>
Dec 02 20:22:49 joetest01 auditd[1695914]: Could not open dir /var/log/audit (Permission denied)
Dec 02 20:22:49 joetest01 auditd[1695914]: The audit daemon is exiting.
Dec 02 20:22:49 joetest01 systemd[1]: auditd.service: Control process exited, code=exited status=6
Dec 02 20:22:49 joetest01 systemd[1]: auditd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- The unit auditd.service has entered the 'failed' state with result 'exit-code'.
Dec 02 20:22:49 joetest01 systemd[1]: Failed to start Security Auditing Service.
-- Subject: Unit auditd.service has failed
-- Defined-By: systemd
-- Unit auditd.service has failed.
-- The result is failed.

So the error gave me a clue that it might be related to SELinux security context. Check with “-Z” option of “ls” and it showed “unlabeled_t” instead of “auditd_log_t

root@aheicsporaprd01:/var/log# ls -Zd /var/log/audit
system_u:object_r:unlabeled_t:s0 /var/log/audit

Restored the context of SELinux with the command “restorecon” and confirmed again:

root@aheicsporaprd01:/var/log# restorecon /var/log/audit
root@aheicsporaprd01:/var/log# ls -Zd /var/log/audit
system_u:object_r:auditd_log_t:s0 /var/log/audit

The service has started to work again:

root@joetest01:/var/log# systemctl start auditd
root@joetest01:/var/log# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-12-02 20:27:28 EST; 5s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 1701973 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
Process: 1701966 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 1701967 (auditd)
Tasks: 5 (limit: 1645960)
Memory: 2.9M
CGroup: /system.slice/auditd.service
├─1701967 /sbin/auditd
├─1701969 /sbin/audisp-syslog LOG_LOCAL6
└─1701970 /sbin/audisp-syslog LOG_LOCAL6
Dec 02 20:27:28 joetest01 audispd[1701970]: node=joetest01 type=SYSCALL msg=audit(1638494848.444:9360): arch=c000003e syscall=44 success=yes exit=1064 a0=3 a1=7ffd86465de0 a2=428 a3=0 items=0 ppid=170>
Dec 02 20:27:28 joetest01 audispd[1701969]: node=joetest01 type=SYSCALL msg=audit(1638494848.444:9360): arch=c000003e syscall=44 success=yes exit=1064 a0=3 a1=7ffd86465de0 a2=428 a3=0 items=0 ppid=170>
Dec 02 20:27:28 joetest01 audispd[1701970]: node=joetest01 type=SOCKADDR msg=audit(1638494848.444:9360): saddr=100000000000000000000000 SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
Dec 02 20:27:28 joetest01 audispd[1701969]: node=joetest01 type=SOCKADDR msg=audit(1638494848.444:9360): saddr=100000000000000000000000 SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
Dec 02 20:27:28 joetest01 audispd[1701970]: node=joetest01 type=PROCTITLE msg=audit(1638494848.444:9360): proctitle=2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573
Dec 02 20:27:28 joetest01 audispd[1701969]: node=joetest01 type=PROCTITLE msg=audit(1638494848.444:9360): proctitle=2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573
Dec 02 20:27:28 joetest01 audispd[1701970]: node=joetest01 type=EOE msg=audit(1638494848.444:9360):
Dec 02 20:27:28 joetest01 audispd[1701969]: node=joetest01 type=EOE msg=audit(1638494848.444:9360):
Dec 02 20:27:28 joetest01 audispd[1701970]: node=joetest01 type=SERVICE_START msg=audit(1638494848.446:9361): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=audi>
Dec 02 20:27:28 joetest01 audispd[1701969]: node=joetest01 type=SERVICE_START msg=audit(1638494848.446:9361): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=audi>
lines 1-25/25 (END)

One thought on “Could not open dir /var/log/audit (Permission denied)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s