Odd messages during bootup from gdm
Gene Heskett
gene.heskett at verizon.net
Thu May 4 15:13:50 UTC 2006
Paul Howarth wrote:
> Gene Heskett wrote:
>> Gene Heskett wrote:
>>> Kam Leo wrote:
>>>> On 5/4/06, Gene Heskett <gene.heskett at verizon.net> wrote:
>>>>> Greetings;
>>>>> These do not appear to be effecting gdm, but they are startling
>>>>> when the
>>>>> screen fills with them just before its cleared and the init=3
>>>>> login is
>>>>> presented.
>>>>> =======================
>>>>> May 4 02:49:10 diablo kernel: audit(1146728943.423:302): avc:
>>>>> denied
>>>>> { read } for pid=2195 comm="gpm" name="localtime" dev=hda5
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May 4 02:49:10 diablo kernel: audit(1146728943.423:303): avc:
>>>>> denied
>>>>> { read } for pid=2195 comm="gpm" name="localtime" dev=hda5
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May 4 02:49:10 diablo kernel: audit(1146728943.423:304): avc:
>>>>> denied
>>>>> { read } for pid=2195 comm="gpm" name="localtime" dev=hda5
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May 4 02:49:10 diablo kernel: audit(1146728943.423:305): avc:
>>>>> denied
>>>>> { read } for pid=2195 comm="gpm" name="localtime" dev=hda5
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May 4 02:49:10 diablo kernel: audit(1146728943.439:306): avc:
>>>>> denied
>>>>> { read } for pid=2195 comm="gpm" name="localtime" dev=hda5
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May 4 02:49:10 diablo kernel: audit(1146728943.443:307): avc:
>>>>> denied
>>>>> { read } for pid=2195 comm="gpm" name="localtime" dev=hda5
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May 4 02:49:10 diablo kernel: audit(1146728943.443:308): avc:
>>>>> denied
>>>>> { read } for pid=2195 comm="gpm" name="localtime" dev=hda5
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> ==================================
>>>>> This is with:
>>>>> root at diablo ~]# uname -a
>>>>> Linux diablo.coyote.den 2.6.16-1.2096_FC5 #1 Wed Apr 19 05:14:36 EDT
>>>>> 2006 i686 athlon i386 GNU/Linux
>>>>>
>>>>> I note also that earlier in the login:
>>>>> ===================
>>>>> May 4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
>>>>> May 4 02:49:09 diablo kernel: md: autorun ...
>>>>> May 4 02:49:10 diablo kernel: md: ... autorun DONE.
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.033:292): avc:
>>>>> denied
>>>>> { search } for pid=1173 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.033:293): avc:
>>>>> denied
>>>>> { search } for pid=1173 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.033:294): avc:
>>>>> denied
>>>>> { search } for pid=1173 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.033:295): avc:
>>>>> denied
>>>>> { search } for pid=1173 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.033:296): avc:
>>>>> denied
>>>>> { search } for pid=1173 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: device-mapper: 4.5.0-ioctl
>>>>> (2005-10-04)
>>>>> initialised: dm-devel at redhat.com
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.109:297): avc:
>>>>> denied
>>>>> { search } for pid=1181 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.113:298): avc:
>>>>> denied
>>>>> { search } for pid=1181 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.113:299): avc:
>>>>> denied
>>>>> { search } for pid=1181 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.113:300): avc:
>>>>> denied
>>>>> { search } for pid=1181 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: audit(1146728910.113:301): avc:
>>>>> denied
>>>>> { search } for pid=1181 comm="pam_console_app" name="var"
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May 4 02:49:10 diablo kernel: EXT3 FS on hda5, internal journal
>>>>> May 4 02:49:10 diablo kernel: kjournald starting. Commit interval 5
>>>>> seconds
>>>>> ==============================
>>>>> But the md related stuff has been turned off with chkconfig, so
>>>>> why am I
>>>>> getting these messages at all?
>>>>>
>>>>> --
>>>>> Cheers, Gene
>>>>>
>>>>
>>>> Install the policycoreutils package and pipe the errors to audit2why
>>>> to find out.
>>> Thanks Kam.
>>>> That doesn't seem to be available for install via kyum. Since
>>>> livna has been unavailable for several days now, can you suggest
>>>> another repo that might have this package?
>> I found it was already installed. Discovering the syntax gave very
>> verbose output, and that eventually led to doing this:
>>
>> [root at diablo ~]# audit2allow </var/log/messages
>> allow crond_t self:process execheap;
>> allow gpm_t etc_t:file read;
>> allow pam_console_t file_t:dir search;
>> allow restorecon_t unconfined_t:unix_stream_socket { read write };
>> allow semanage_t unconfined_t:unix_stream_socket { read write };
>> allow unconfined_t lib_t:file execmod;
>> allow unconfined_t self:process execheap;
>> [root at diablo ~]# audit2allow </var/log/messages >sh
>> [root at diablo ~]#
>>
>> 2 Q's:
>> 1. Was that the right thing to do, and
>
> No. The "allow" commands are not shell commands.
> See: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
>
bookmarked for study when I get in tonight, thanks
2. Is this permanent
>
> No, since it wouldn't have actually done anything. Loading a module
> using "semodule" as described in the link above is permanent though.
>
> Before doing any of this, I would bear in mind a few things:
>
> 1. The AVC messages you're getting appear to be for several different
> processes, suggesting that there are several different issues here.
>
yes, there are several more "stanza's" of this in the logs.
> 2. Are any of these issues symptoms of an actual problem, other than
> annoying messages coming up on the screen?
>
It has since day one sprinkled messages throughout the logs about the
dvdd/cd writer being confused. NDI if this is related, and it did work
for making dvd's under XP, and has read anything I put in it except
audio disks, those the players go thru all the motions of playing, but
no sound actually comes out.
> 3. The best solution might not be to "allow" these actions at all -
> some may be due to file contexts being wrong, others might be harmless
> and better off "dontaudit"ed instead,
>
> Have you at any time booted with SELinux disabled and have not since
> done a full relabel? I'm guessing that you have.
right, as a test once
> What's the output of:
>
> $ ls -lZd /etc/localtime /var
>
> I would expect:
> -rw-r--r-- root root system_u:object_r:locale_t /etc/localtime
> drwxr-xr-x root root system_u:object_r:var_t /var
>
[root at diablo ~]# ls -lZd /etc/localtime /var
-rw-r--r-- root root root:object_r:etc_t
/etc/localtime
drwxr-xr-x root root system_u:object_r:var_t /var
> You seem to have these as etc_t and file_t respectively.
>
> Paul.
>
--
Cheers, Gene
More information about the fedora-list
mailing list