I give up! Help on avc message for dev dm-0
Paul Howarth
paul at city-fan.org
Wed Sep 20 15:53:01 UTC 2006
Gianfranco Durin wrote:
> Paul Howarth wrote:
>> Gianfranco Durin wrote:
>>> Paul Howarth wrote:
>>> ...
>>>>> I installed the audit package, then after reboot I have
>>>>>
>>>>> > # ausearch -a 364
>>>>>
>>>>> type=USER_AUTH msg=audit(1158759070.643:364): user pid=2593 uid=0
>>>>> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255
>>>>> msg='PAM: authentication acct=gf : exe="/usr/sbin/gdm-binary"
>>>>> (hostname=?, addr=?, terminal=:0 res=success)'
>>>>>
>>>>> (Not sure if it refers to the previous message, by the way)
>>>>
>>>> It doesn't, because you have rebooted. Are you still getting the
>>>> denials? If you can find one since the reboot, try the ausearch
>>>> again and use the number after the ":" in the audit message (364 in
>>>> the case above).
>>>>
>>>>> > # ls -lZd /var
>>>>>
>>>>> drwxr-xr-x root root system_u:object_r:var_t /var
>>>>
>>>> That one looks OK.
>>>>
>>>> Paul.
>>>>
>>>
>>> I am a little confused.
>>> After rebooting again, I have about 300 messages of the same kind,
>>> similar to the first one:
>>>
>>> Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc:
>>> denied { search } for pid=1359 comm="pam_console_app" name="var"
>>> dev=dm-0 ino=130817
>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>
>>> but...
>>>
>>> ausearch -a 308
>>>
>>> returns
>>> <no matches>
>>>
>>> The same for all the others...
>>
>> Not sure what's going on there. Can you find all matches of
>> 1158761731.078:308 in the log file using grep?
>>
>> Paul.
>>
> yes
>
> cat /var/log/messages |grep 1158761731.078:308
>
> Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc: denied {
> search } for pid=1359 comm="pam_console_app" name="var" dev=dm-0
> ino=130817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:file_t:s0 tclass=dir
Just that entry? Hmm, perhaps you need to be running auditd to get any
more info.
> Wait, I found this:
> aureport -u -i
>
> but all the events ID are larger than ID of the messages similar to the
> previous one. These are the only IDs which give me a result with ausearch
>
> time->Wed Sep 20 16:16:03 2006
> type=USER_AUTH msg=audit(1158761763.116:362): user pid=2487 uid=0
> auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM:
> authentication acct=root : exe="/usr/bin/perl" (hostname=?, addr=?,
> terminal=? res=failed)'
>
> time->Wed Sep 20 16:16:06 2006
> type=USER_ERR msg=audit(1158761766.696:363): user pid=2549 uid=0
> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM:
> bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?,
> terminal=console res=failed)'
>
>
> very strange...
These just may be a side effect of the way you have authentication
configured.
> In any case, what is dm-0?
The first device mapper device, which might be your root filesystem if
you're using LVM or RAID.
Paul.
More information about the fedora-list
mailing list