Odd messages during bootup from gdm

Thu May 4 15:13:50 UTC 2006

Paul Howarth wrote:
> Gene Heskett wrote:
>> Gene Heskett wrote:
>>> Kam Leo wrote:
>>>> On 5/4/06, Gene Heskett <gene.heskett at verizon.net> wrote:
>>>>> Greetings;
>>>>> These do not appear to be effecting gdm, but they are startling 
>>>>> when the
>>>>> screen fills with them just before its cleared and the init=3 
>>>>> login is
>>>>> presented.
>>>>> =======================
>>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:302): avc:  
>>>>> denied
>>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:303): avc:  
>>>>> denied
>>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:304): avc:  
>>>>> denied
>>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May  4 02:49:10 diablo kernel: audit(1146728943.423:305): avc:  
>>>>> denied
>>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May  4 02:49:10 diablo kernel: audit(1146728943.439:306): avc:  
>>>>> denied
>>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May  4 02:49:10 diablo kernel: audit(1146728943.443:307): avc:  
>>>>> denied
>>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> May  4 02:49:10 diablo kernel: audit(1146728943.443:308): avc:  
>>>>> denied
>>>>> { read } for  pid=2195 comm="gpm" name="localtime" dev=hda5 
>>>>> ino=1289803
>>>>> 0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
>>>>> tclass=file
>>>>> ==================================
>>>>> This is with:
>>>>> root at diablo ~]# uname -a
>>>>> Linux diablo.coyote.den 2.6.16-1.2096_FC5 #1 Wed Apr 19 05:14:36 EDT
>>>>> 2006 i686 athlon i386 GNU/Linux
>>>>>
>>>>> I note also that earlier in the login:
>>>>> ===================
>>>>> May  4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
>>>>> May  4 02:49:09 diablo kernel: md: autorun ...
>>>>> May  4 02:49:10 diablo kernel: md: ... autorun DONE.
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:292): avc:  
>>>>> denied
>>>>> { search } for  pid=1173 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:293): avc:  
>>>>> denied
>>>>> { search } for  pid=1173 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:294): avc:  
>>>>> denied
>>>>> { search } for  pid=1173 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:295): avc:  
>>>>> denied
>>>>> { search } for  pid=1173 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.033:296): avc:  
>>>>> denied
>>>>> { search } for  pid=1173 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: device-mapper: 4.5.0-ioctl 
>>>>> (2005-10-04)
>>>>> initialised: dm-devel at redhat.com
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.109:297): avc:  
>>>>> denied
>>>>> { search } for  pid=1181 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:298): avc:  
>>>>> denied
>>>>> { search } for  pid=1181 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:299): avc:  
>>>>> denied
>>>>> { search } for  pid=1181 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:300): avc:  
>>>>> denied
>>>>> { search } for  pid=1181 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: audit(1146728910.113:301): avc:  
>>>>> denied
>>>>> { search } for  pid=1181 comm="pam_console_app" name="var" 
>>>>> dev=hda5 ino
>>>>> =3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>>> May  4 02:49:10 diablo kernel: EXT3 FS on hda5, internal journal
>>>>> May  4 02:49:10 diablo kernel: kjournald starting.  Commit interval 5
>>>>> seconds
>>>>> ==============================
>>>>> But the md related stuff has been turned off with chkconfig, so 
>>>>> why am I
>>>>> getting these messages at all?
>>>>>
>>>>> -- 
>>>>> Cheers, Gene
>>>>>
>>>>
>>>> Install the policycoreutils package and pipe the errors to audit2why
>>>> to find out.
>>> Thanks Kam.
>>>> That doesn't seem to be available for install via kyum.  Since 
>>>> livna has been unavailable for several days now, can you suggest 
>>>> another repo that might have this package?
>> I found it was already installed.  Discovering the syntax gave very 
>> verbose output, and that eventually led to doing this:
>>
>> [root at diablo ~]# audit2allow </var/log/messages
>> allow crond_t self:process execheap;
>> allow gpm_t etc_t:file read;
>> allow pam_console_t file_t:dir search;
>> allow restorecon_t unconfined_t:unix_stream_socket { read write };
>> allow semanage_t unconfined_t:unix_stream_socket { read write };
>> allow unconfined_t lib_t:file execmod;
>> allow unconfined_t self:process execheap;
>> [root at diablo ~]# audit2allow </var/log/messages >sh
>> [root at diablo ~]#
>>
>> 2 Q's:
>> 1.  Was that the right thing to do, and
>
> No. The "allow" commands are not shell commands.
> See: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
>
bookmarked for study when I get in tonight, thanks

2. Is this permanent
>
> No, since it wouldn't have actually done anything. Loading a module 
> using "semodule" as described in the link above is permanent though.
>
> Before doing any of this, I would bear in mind a few things:
>
> 1. The AVC messages you're getting appear to be for several different 
> processes, suggesting that there are several different issues here.
>
yes, there are several more "stanza's" of this in the logs.
> 2. Are any of these issues symptoms of an actual problem, other than 
> annoying messages coming up on the screen?
>
It has since day one sprinkled messages throughout the logs about the 
dvdd/cd writer being confused.  NDI if this is related, and it did work 
for making dvd's under XP, and has read anything I put in it except 
audio disks, those the players go thru all the motions of playing, but 
no sound actually comes out.

> 3. The best solution might not be to "allow" these actions at all - 
> some may be due to file contexts being wrong, others might be harmless 
> and better off "dontaudit"ed instead,
>
> Have you at any time booted with SELinux disabled and have not since 
> done a full relabel? I'm guessing that you have. 
right, as  a test once

> What's the output of:
>
> $ ls -lZd /etc/localtime /var
>
> I would expect:
>  -rw-r--r--  root     root     system_u:object_r:locale_t /etc/localtime
> drwxr-xr-x  root     root     system_u:object_r:var_t          /var
>
[root at diablo ~]# ls -lZd /etc/localtime /var
-rw-r--r--  root     root     root:object_r:etc_t              
/etc/localtime
drwxr-xr-x  root     root     system_u:object_r:var_t          /var

> You seem to have these as etc_t and file_t respectively.
>
> Paul.
>
-- 

Cheers, Gene