How can I move /var/log/audit/audit.log to another partition

Jepper asked:

Fresh centos 6.5 with updates installed. We want to log auditd to a non persistent volume since we capture everything with splunk or logstash.

The destination dir is /mnt/ephemeral/audit/

# ls -l /var/log
lrwxrwxrwx. 1 root      root          21 Dec  9 12:11 audit -> /mnt/ephemeral/audit

With this in place, auditd fails to start, presumably it’s denied by selinux. I’m assuming the logs in /var/log/messages contains the required avc denials to create a new policy.

So I

semanage permissive -a auditd_t

and try again

Dec  9 12:50:56 myhost kernel: type=1400 audit(1418129456.307:93): avc:  denied  { write } for  pid=13174 comm="auditd" name="audit" dev=xvdb ino=147457 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
Dec  9 12:50:56 myhost kernel: type=1400 audit(1418129456.307:94): avc:  denied  { add_name } for  pid=13174 comm="auditd" name="audit.log" scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
Dec  9 12:50:56 myhost kernel: type=1400 audit(1418129456.307:95): avc:  denied  { create } for  pid=13174 comm="auditd" name="audit.log" scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
Dec  9 12:50:56 myhost kernel: type=1400 audit(1418129456.307:96): avc:  denied  { read open } for  pid=13174 comm="auditd" name="audit.log" dev=xvdb ino=147458 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
Dec  9 12:50:56 myhost kernel: type=1400 audit(1418129456.307:97): avc:  denied  { getattr } for  pid=13174 comm="auditd" path="/mnt/ephemeral0/audit/audit.log" dev=xvdb ino=147458 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
Dec  9 12:50:56 myhost kernel: type=1400 audit(1418129456.310:98): avc:  denied  { append } for  pid=13175 comm="auditd" name="audit.log" dev=xvdb ino=147458 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
Dec  9 12:50:56 myhost kernel: type=1400 audit(1418129456.310:99): avc:  denied  { setattr } for  pid=13175 comm="auditd" name="audit.log" dev=xvdb ino=147458 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

So I then

grep avc /var/log/messages > /tmp/avc
audit2allow -M mypol < /tmp/avc
semodule -i mypol.pp
restorecon -R -v /

Contents of the te file:

# cat mypol.te    
module mypol 1.0;
require {
    type var_t;
    type auditd_t;
    class dir { write add_name };
    class file { getattr setattr read create open append };
}

    #============= auditd_t ==============
    #!!!! The source type 'auditd_t' can write to a 'dir' of the following types:
    # var_run_t, auditd_var_run_t, file_t, auditd_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

    allow auditd_t var_t:dir { write add_name };
    allow auditd_t var_t:file { getattr setattr read create open append };

But auditd refuse to start. I’m weak on selinux admittedly, please don’t flame!

Tried Michaels suggestion, I see in /var/log/messages

Dec 10 11:42:52 myhost kernel: type=1400 audit(1418211771.996:29): avc:  denied  { read } for  pid=1494 comm="auditd" name="audit" dev=xvdf ino=49153 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir
Dec 10 11:42:52 myhost auditd: Could not open dir /mnt/ephemeral/audit (Permission denied)

Back to audit2allow, I tried

# grep avc /var/log/messages |tail -n1 | audit2allow -w
Dec 10 12:03:09 euw1-infradev01-sonar-01 kernel: type=1400 audit(1418212989.424:48): avc:  denied  { read } for  pid=1928 comm="auditd" name="audit" dev=xvdf ino=49153 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir

    Was caused by:
        Missing type enforcement (TE) allow rule.


# grep avc /var/log/messages |tail -n1 | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

# cat mypol.te

module mypol 1.0;

require {
    type var_log_t;
    type auditd_t;
    class dir read;
}

#============= auditd_t ==============
allow auditd_t var_log_t:dir read;

and, bingo hopefully:

# setenforce 1
# service auditd start
Starting auditd:                                           [  OK  ]

Final bit, is this persistent across reboot? I shall find out.

My answer:


SELinux denies auditd to do anything with /mnt/ephemeral/audit because it doesn’t have one of the allowed types; instead it appears to have a generic type.

You need to tell SELinux what context to give this directory and the files in it. Ideally we’ll copy the existing context that applies to /var/log/audit and reuse that.

So when we look in /etc/selinux/targeted/contexts/files/file_contexts we find the applicable context is:

/var/log/audit(/.*)?        system_u:object_r:auditd_log_t:s0

This is easy to adapt. Run the command:

semanage fcontext --add --type auditd_log_t "/mnt/ephemeral/audit(/.*)?"

Then fix the existing file contexts:

restorecon -r -v /mnt/ephemeral/audit

Finally, restart auditd.

I make no guarantees about what will happen on the next boot. You will need to test this and see what breaks. 🙂


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.