My sender fails to connect to my collector. Is there any reason a MLS-policy F9 audisp-remote should be unable to connect to a targeted-policy F9 auditd? I have no ipsec or anything else involved...
I am looking for some hint as to why the connection is failing but I see only this on the sender: - lsof says I'm stuck on SYN_SENT TCP comms:38827->192.168.30.120:tsdos390 (SYN_SENT) - audit search on sender ausearch -ts today -i -c audisp-remote: ... ---- type=SYSCALL msg=audit(09/11/2008 16:14:45.102:19013) : arch=x86_64 syscall=connect success=no exit=-110(Connection timed out) a0=3 a1=7f99ab0f20e0 a2=10 a3=7fffb289cf50 items=0 ppid=25435 pid=25436 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=61 comm=audisp-remote exe=/sbin/audisp-remote subj=system_u:system_r:audisp_remote_t:s15:c0.c1023 key=(null) Same audit versions on each (1.7.5-1). On the sender, I can do a "newrole -l SystemHigh" and connect via "telnet <collector> 1237", so I don't think it is the level giving me any grief - sender is in permissive mode so there are AVCs but it should work. Eventually on the sender I get this: Sep 11 16:57:12 comms audisp-remote: Error connecting to 192.168.30.120: Connection timed out - exiting Sep 11 16:57:14 comms audispd: plugin /sbin/audisp-remote terminated unexpectedly On the collector machine I see the listen socket open but I see no denials in the messages log or the audit log. Any suggestions? Thx, LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
