denied {search} pam_console_app
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 6 20:48:53 UTC 2006
Robin Bowes wrote:
> Hi,
>
> I'm seeing a whole raft of these msgs at boot:
>
> audit(1162812576.696:158): avc: denied { search } for pid=523
> comm="pam_console_app" name="var" dev=dm-0 ino=229377
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:file_t:s0 tclass=dir
>
> audit2allow suggests this to fix:
>
> allow pam_console_t file_t:dir search;
>
> My question:
>
> Is this the right fix? Or is there some chcon magic I can do?
>
> R.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
You have a separate /var partition. and the /var directory that resides
under the mounted /var is labeled incorrectly. This is a problem with
the installer that does not label it correctly. Not sure why
pam_console is reporting these.
1. You can boot single user mode without /var mounted and restorecon /var
2. Add a loadable module with the line in it
files_dontaudit_search_isid_type_dirs(pam_console_t)
3. Wait for the next policy update to get that line.
More information about the fedora-selinux-list
mailing list