RHEL 5.3 and sealert -b

George Magklaras georgios at biotek.uio.no
Tue Mar 3 14:10:21 UTC 2009 

Hi again,

ESGLinux wrote:
>> in /var/log/audit/audit.log there are a lot of logs with AVC
>> ...
>>
>> u:system_r:setroubleshootd_t:s0
>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>> type=AVC msg=audit(1236072678.050:68): avc:  denied  { write } for
>> pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>> scontext=system_u:system_r:setroubleshootd_t:s0
>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>> type=AVC msg=audit(1236072738.057:69): avc:  denied  { write } for
>> pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>> scontext=system_u:system_r:setroubleshootd_t:s0
>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>> type=AVC msg=audit(1236085050.837:8): avc:  denied  { write } for  pid=2123
>> comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>> scontext=system_u:system_r:setroubleshootd_t:s0
>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>> type=USER_TTY msg=audit(1236085103.658:21): user pid=2940 uid=0 auid=0
>> subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='grep AVC audit.log '
>> type=AVC msg=audit(1236085110.848:22): avc:  denied  { write } for
>> pid=2123 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>> scontext=system_u:system_r:setroubleshootd_t:s0
>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>> type=USE

These messages indicate that setroubleshootd itself has problems 
communicating with the OS audit daemon. Interesting! Could it be that 
you should try to restart the audit daemon by doing a service auditd 
stop followed by a service auditd start.

If the problem is not cured by this, then you need to look at the 
context of the files been shown in the AVC messages( 
name="audispd_events" dev=hda8 ino=16329). I am guessing that this 
probably refers to a file under /var/run:

srw-r-----  root    root    user_u:object_r:audisp_var_run_t audispd_events
-rw-r--r--  root    root    user_u:object_r:auditd_var_run_t auditd.pid
drwxr-xr-x  root    root    system_u:object_r:setroubleshoot_var_run_t 
setroubleshoot


You should then have at this point access to these files in the correct 
SElinux context under /var/run and try to make it winge by executing a 
manually installed version of Open Office 3. You should see the star 
icon popping up.



-- 
--
George Magklaras BSc Hons MPhil
RHCE:805008309135525

Senior Computer Systems Engineer/UNIX-Linux Systems Administrator
EMBnet Technical Management Board
The Biotechnology Centre of Oslo,
University of Oslo
http://folk.uio.no/georgios

More information about the redhat-list mailing list