kdebase: selinux preventing appending to /var/log/kdm.log ?
Daniel J Walsh
dwalsh at redhat.com
Thu Jun 14 14:14:03 UTC 2007
Rex Dieter wrote:
> Daniel J Walsh wrote:
>> Rex Dieter wrote:
>>> See also:
>>> http://bugzilla.redhat.com/243505
>>>
>>> Raw Audit Messages
>>>
>>> avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500
>>> euid=0
>>> exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0
>>> name="kdm.log" path="/var/log/kdm.log" pid=3804
>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500
>>> subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file
>>> tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0
>>>
>>>
>> Well you have a few of choices.
>>
>> 1. Ignore it for now, since I doubt it causes any problem.
>>
>> 2. Write custom policy for it.
>>
>> # grep pam_console_t /var/log/audit/audit.log | audit2allow -M
>> mypamconsole
>> # semodule -i mypamconsole.pp
>>
>> 3. Wait for the next policy update which will write a rule to
>> dontaudit this.
>
> Would it be-better/help if kdm.log was in /var/log/kdm/ dir instead of
> /var/log/ directly?
>
> -- Rex
Ordinarily yes, but in this case it does not matter. The problem is a
redirection of stdout to the log file and pam_console_t does not have
permission to write there. So it generates an avc when it starts
pam_console. pam_console runs anyways and completes.
More information about the fedora-selinux-list
mailing list