error: kernel: audit: avc: denied { write }

[Russell Coker]

On Wednesday 02 February 2005 01:45, Roger Skildum <cowchaser at axs.net> wrote:
> I am running FC3 with a vanilla 2.6.10 kernel patched for Win4lin.  I am
> not sure what has happened but all of a sudden I started getting a whole
> slew of the errors listed below each time I boot.
>
> Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc:  denied  {
> write } for  pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673
> scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t
> tclass=sock_file

Does that particular message happen every time you boot?  If so then maybe 
syslogd is running in the wrong domain.  Run "ps axZ|grep syslog" to check 
the context of syslogd (should be syslogd_t).

>  From what I understand they are related to selinux.  They are not all
> the same but all deal with kernel: audit.  The system log shows me that
> they happen while the system is running also.  I have not noticed any
> system degradation but something must be wrong.  I do not think I have

Is the system in permissive mode?  If it's in enforcing mode then such errors 
would result in significant differences of the operation of the machine.

> done anything to course this except update my system.  When I run system
> monitor I see under the Resource Monitor tab I see a device listed as
> /dev/shm with a type as tmpfs with a total of 125MB but 0% used.  When I
> look in the /dev directory there is no /dev/shm or /dev/tmpfs for that
> matter.  Is this related to the problem since the error lists
> dev=tmpfs?  Any I ideas as to what is wrong or how to correct?

The error you report related to /dev/shm is strange.  Let's fix the other 
error first.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page