I give up! Help on avc message for dev dm-0

Paul Howarth paul at city-fan.org
Wed Sep 20 15:53:01 UTC 2006 

Gianfranco Durin wrote:
> Paul Howarth wrote:
>> Gianfranco Durin wrote:
>>> Paul Howarth wrote:
>>> ...
>>>>> I installed the audit package, then after reboot I have
>>>>>
>>>>>  > # ausearch -a 364
>>>>>
>>>>> type=USER_AUTH msg=audit(1158759070.643:364): user pid=2593 uid=0 
>>>>> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 
>>>>> msg='PAM: authentication acct=gf : exe="/usr/sbin/gdm-binary" 
>>>>> (hostname=?, addr=?, terminal=:0 res=success)'
>>>>>
>>>>> (Not sure if it refers to the previous message, by the way)
>>>>
>>>> It doesn't, because you have rebooted. Are you still getting the 
>>>> denials? If you can find one since the reboot, try the ausearch 
>>>> again and use the number after the ":" in the audit message (364 in 
>>>> the case above).
>>>>
>>>>>  > # ls -lZd /var
>>>>>
>>>>> drwxr-xr-x  root root system_u:object_r:var_t          /var
>>>>
>>>> That one looks OK.
>>>>
>>>> Paul.
>>>>
>>>
>>> I am a little confused.
>>> After rebooting again, I have about 300 messages of the same kind, 
>>> similar to the first one:
>>>
>>> Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc:  
>>> denied  { search } for  pid=1359 comm="pam_console_app" name="var" 
>>> dev=dm-0 ino=130817 
>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 
>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>
>>> but...
>>>
>>> ausearch -a 308
>>>
>>> returns
>>> <no matches>
>>>
>>> The same for all the others...
>>
>> Not sure what's going on there. Can you find all matches of 
>> 1158761731.078:308 in the log file using grep?
>>
>> Paul.
>>
> yes
> 
> cat /var/log/messages |grep 1158761731.078:308
> 
> Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc:  denied  { 
> search } for  pid=1359 comm="pam_console_app" name="var" dev=dm-0 
> ino=130817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 
> tcontext=system_u:object_r:file_t:s0 tclass=dir

Just that entry? Hmm, perhaps you need to be running auditd to get any 
more info.

> Wait, I found this:
> aureport -u -i
> 
> but all the events ID are larger than ID of the messages similar to the 
> previous one. These are the only IDs which give me a result with ausearch
> 
> time->Wed Sep 20 16:16:03 2006
> type=USER_AUTH msg=audit(1158761763.116:362): user pid=2487 uid=0 
> auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: 
> authentication acct=root : exe="/usr/bin/perl" (hostname=?, addr=?, 
> terminal=? res=failed)'
> 
> time->Wed Sep 20 16:16:06 2006
> type=USER_ERR msg=audit(1158761766.696:363): user pid=2549 uid=0 
> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: 
> bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, 
> terminal=console res=failed)'
> 
> 
> very strange...

These just may be a side effect of the way you have authentication 
configured.

> In any case, what is dm-0?

The first device mapper device, which might be your root filesystem if 
you're using LVM or RAID.

Paul.

More information about the fedora-list mailing list