Unable to write at /var/log/audit: Permission denied


This was a journalctl -b -p 03 returns, concerning my last boot. Also, the /var/log/audit directory is empty. I think the issue is pretty clear :slight_smile:

I’ve tried setting permissions and ownership manually using chmod and chown, but the issue does not disappear. Is this a SELinux issue? How should I go about it? What exact combination of permissions and ownership would be adequate on that directory?

Thank you very much in advance!

Hello @nycticorax and welcome!

Could you provide the result of
sudo ls -la /var/log/audit
and
sudo ls -Z /var/log/audit

Hello, thanks for helping!

    total 8
    drwx------.  2 root root 4096 21 mai 11:04 .
    drwxr-xr-x. 11 root root 4096 26 mai 15:39 ..

and

(Nothing) -- like just a new bash line as if the command was "accepted"

respectively.

Sorry, I meant
sudo ls -Zd /var/log/audit

unconfined_u:object_r:var_log_t:s0 /var/log/audit

Ok.
At least looking on my (working) system, it should be:
system_u:object_r:auditd_log_t:s0 /var/log/audit

So, try to issue this command: restorecon (restore file(s) default SELinux security contexts).
sudo restorecon /var/log/audit

Check again the SELinux contexts
sudo ls -Zd /var/log/audit

If they are ok, start the auditd service
sudo systemctl start auditd

Did sudo restorecon /var/log/audit. Command accepted. Did sudo ls -Zd /var/log/audit. Got unconfined_u:object_r:auditd_log_t:s0 /var/log/audit again.

And auditd doesn’t start as well?

Could you provide the result of these two commands?
grep "/var/log/audit" /etc/selinux/targeted/contexts/files/file_contexts
rpm -q selinux-policy-targeted

Thank you for being more thorough than I am; indeed systemctl reports now an active auditd service after starting it manually! Just to be sure, however, here are the results you wanted:
grep "/var/log/audit" /etc/selinux/targeted/contexts/files/file_contexts:

/var/log/audit(/.*)?    system_u:object_r:auditd_log_t:s0
/var/log/audit\.log.*   --      system_u:object_r:auditd_log_t:s0
/var/log/audit/lost\+found/.*   <<none>>
/var/log/audit/lost\+found      -d      system_u:object_r:lost_found_t:s0

and rpm -q selinux-policy-targeted:

selinux-policy-targeted-3.14.5-38.fc32.noarch

1 Like

I’m not an expert of SELinux.
Btw, “If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context.”

So, to completely restore the default context:
sudo restorecon -F /var/log/audit

1 Like

It worked! Thank you very much for you kind help.

1 Like

You are welcome. :slight_smile:
Please, if you wish, mark this topic as solved, putting a tick mark on the Solution check box under the resolutive reply.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.