Re: Odd messages during bootup from gdm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Howarth wrote:
Gene Heskett wrote:
Gene Heskett wrote:
Kam Leo wrote:
On 5/4/06, Gene Heskett <gene.heskett@xxxxxxxxxxx> wrote:
Greetings;
These do not appear to be effecting gdm, but they are startling when the screen fills with them just before its cleared and the init=3 login is
presented.
=======================
May 4 02:49:10 diablo kernel: audit(1146728943.423:302): avc: denied { read } for pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
May 4 02:49:10 diablo kernel: audit(1146728943.423:303): avc: denied { read } for pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
May 4 02:49:10 diablo kernel: audit(1146728943.423:304): avc: denied { read } for pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
May 4 02:49:10 diablo kernel: audit(1146728943.423:305): avc: denied { read } for pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
May 4 02:49:10 diablo kernel: audit(1146728943.439:306): avc: denied { read } for pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
May 4 02:49:10 diablo kernel: audit(1146728943.443:307): avc: denied { read } for pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
May 4 02:49:10 diablo kernel: audit(1146728943.443:308): avc: denied { read } for pid=2195 comm="gpm" name="localtime" dev=hda5 ino=1289803
0 scontext=system_u:system_r:gpm_t:s0 tcontext=root:object_r:etc_t:s0
tclass=file
==================================
This is with:
root@diablo ~]# uname -a
Linux diablo.coyote.den 2.6.16-1.2096_FC5 #1 Wed Apr 19 05:14:36 EDT
2006 i686 athlon i386 GNU/Linux

I note also that earlier in the login:
===================
May  4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
May  4 02:49:09 diablo kernel: md: autorun ...
May  4 02:49:10 diablo kernel: md: ... autorun DONE.
May 4 02:49:10 diablo kernel: audit(1146728910.033:292): avc: denied { search } for pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.033:293): avc: denied { search } for pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.033:294): avc: denied { search } for pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.033:295): avc: denied { search } for pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.033:296): avc: denied { search } for pid=1173 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: device-mapper: 4.5.0-ioctl (2005-10-04)
initialised: dm-devel@xxxxxxxxxx
May 4 02:49:10 diablo kernel: audit(1146728910.109:297): avc: denied { search } for pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.113:298): avc: denied { search } for pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.113:299): avc: denied { search } for pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.113:300): avc: denied { search } for pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 4 02:49:10 diablo kernel: audit(1146728910.113:301): avc: denied { search } for pid=1181 comm="pam_console_app" name="var" dev=hda5 ino
=3208129 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
May  4 02:49:10 diablo kernel: EXT3 FS on hda5, internal journal
May  4 02:49:10 diablo kernel: kjournald starting.  Commit interval 5
seconds
==============================
But the md related stuff has been turned off with chkconfig, so why am I
getting these messages at all?

--
Cheers, Gene


Install the policycoreutils package and pipe the errors to audit2why
to find out.
Thanks Kam.
That doesn't seem to be available for install via kyum. Since livna has been unavailable for several days now, can you suggest another repo that might have this package?
I found it was already installed. Discovering the syntax gave very verbose output, and that eventually led to doing this:

[root@diablo ~]# audit2allow </var/log/messages
allow crond_t self:process execheap;
allow gpm_t etc_t:file read;
allow pam_console_t file_t:dir search;
allow restorecon_t unconfined_t:unix_stream_socket { read write };
allow semanage_t unconfined_t:unix_stream_socket { read write };
allow unconfined_t lib_t:file execmod;
allow unconfined_t self:process execheap;
[root@diablo ~]# audit2allow </var/log/messages >sh
[root@diablo ~]#

2 Q's:
1.  Was that the right thing to do, and

No. The "allow" commands are not shell commands.
See: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow

bookmarked for study when I get in tonight, thanks

2. Is this permanent

No, since it wouldn't have actually done anything. Loading a module using "semodule" as described in the link above is permanent though.

Before doing any of this, I would bear in mind a few things:

1. The AVC messages you're getting appear to be for several different processes, suggesting that there are several different issues here.

yes, there are several more "stanza's" of this in the logs.
2. Are any of these issues symptoms of an actual problem, other than annoying messages coming up on the screen?

It has since day one sprinkled messages throughout the logs about the dvdd/cd writer being confused. NDI if this is related, and it did work for making dvd's under XP, and has read anything I put in it except audio disks, those the players go thru all the motions of playing, but no sound actually comes out.

3. The best solution might not be to "allow" these actions at all - some may be due to file contexts being wrong, others might be harmless and better off "dontaudit"ed instead,

Have you at any time booted with SELinux disabled and have not since done a full relabel? I'm guessing that you have.
right, as  a test once

What's the output of:

$ ls -lZd /etc/localtime /var

I would expect:
 -rw-r--r--  root     root     system_u:object_r:locale_t /etc/localtime
drwxr-xr-x  root     root     system_u:object_r:var_t          /var

[root@diablo ~]# ls -lZd /etc/localtime /var
-rw-r--r-- root root root:object_r:etc_t /etc/localtime
drwxr-xr-x  root     root     system_u:object_r:var_t          /var

You seem to have these as etc_t and file_t respectively.

Paul.

--

Cheers, Gene


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux