Odd messages during bootup from gdm

Paul Howarth paul at city-fan.org
Thu May 4 14:53:46 UTC 2006 

Gene Heskett wrote:
> Gene Heskett wrote:
>> Kam Leo wrote:
>>> On 5/4/06, Gene Heskett <gene.heskett at verizon.net> wrote:
>>>> Greetings;
>>>> These do not appear to be effecting gdm, but they are startling when 
>>>> the
>>>> screen fills with them just before its cleared and the init=3 login is
>>>> presented.
>>>> =======================
>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:302): avc:  denied
>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>> tclass=file
>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:303): avc:  denied
>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>> tclass=file
>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:304): avc:  denied
>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>> tclass=file
>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:305): avc:  denied
>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>> tclass=file
>>>> May  4 02:49:10 diablo kernel: audit(1146728943.439:306): avc:  denied
>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>> tclass=file
>>>> May  4 02:49:10 diablo kernel: audit(1146728943.443:307): avc:  denied
>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>> tclass=file
>>>> May  4 02:49:10 diablo kernel: audit(1146728943.443:308): avc:  denied
>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>> tclass=file
>>>> ==================================
>>>> This is with:
>>>> root at diablo ~]# uname -a
>>>> Linux diablo.coyote.den 2.6.16-1.2096_FC5 #1 Wed Apr 19 05:14:36 EDT
>>>> 2006 i686 athlon i386 GNU/Linux
>>>>
>>>> I note also that earlier in the login:
>>>> ===================
>>>> May  4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
>>>> May  4 02:49:09 diablo kernel: md: autorun ...
>>>> May  4 02:49:10 diablo kernel: md: ... autorun DONE.
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:292): avc:  denied
>>>> { search } for  pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:293): avc:  denied
>>>> { search } for  pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:294): avc:  denied
>>>> { search } for  pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:295): avc:  denied
>>>> { search } for  pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:296): avc:  denied
>>>> { search } for  pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: device-mapper: 4.5.0-ioctl (2005-10-04)
>>>> initialised: dm-devel at redhat.com
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.109:297): avc:  denied
>>>> { search } for  pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:298): avc:  denied
>>>> { search } for  pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:299): avc:  denied
>>>> { search } for  pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:300): avc:  denied
>>>> { search } for  pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:301): avc:  denied
>>>> { search } for  pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> May  4 02:49:10 diablo kernel: EXT3 FS on hda5, internal journal
>>>> May  4 02:49:10 diablo kernel: kjournald starting.  Commit interval 5
>>>> seconds
>>>> ==============================
>>>> But the md related stuff has been turned off with chkconfig, so why 
>>>> am I
>>>> getting these messages at all?
>>>>
>>>> -- 
>>>> Cheers, Gene
>>>>
>>>
>>> Install the policycoreutils package and pipe the errors to audit2why
>>> to find out.
>> Thanks Kam.
>>> That doesn't seem to be available for install via kyum.  Since livna 
>>> has been unavailable for several days now, can you suggest another 
>>> repo that might have this package?
> I found it was already installed.  Discovering the syntax gave very 
> verbose output, and that eventually led to doing this:
> 
> [root at diablo ~]# audit2allow </var/log/messages
> allow crond_t self:process execheap;
> allow gpm_t etc_t:file read;
> allow pam_console_t file_t:dir search;
> allow restorecon_t unconfined_t:unix_stream_socket { read write };
> allow semanage_t unconfined_t:unix_stream_socket { read write };
> allow unconfined_t lib_t:file execmod;
> allow unconfined_t self:process execheap;
> [root at diablo ~]# audit2allow </var/log/messages >sh
> [root at diablo ~]#
> 
> 2 Q's:
> 1.  Was that the right thing to do, and

No. The "allow" commands are not shell commands.
See: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow

> 2. Is this permanent

No, since it wouldn't have actually done anything. Loading a module 
using "semodule" as described in the link above is permanent though.

Before doing any of this, I would bear in mind a few things:

1. The AVC messages you're getting appear to be for several different 
processes, suggesting that there are several different issues here.

2. Are any of these issues symptoms of an actual problem, other than 
annoying messages coming up on the screen?

3. The best solution might not be to "allow" these actions at all - some 
may be due to file contexts being wrong, others might be harmless and 
better off "dontaudit"ed instead,

Have you at any time booted with SELinux disabled and have not since 
done a full relabel? I'm guessing that you have.

What's the output of:

$ ls -lZd /etc/localtime /var

I would expect:
  -rw-r--r--  root     root     system_u:object_r:locale_t 
/etc/localtime
drwxr-xr-x  root     root     system_u:object_r:var_t          /var

You seem to have these as etc_t and file_t respectively.

Paul.

More information about the fedora-list mailing list