Rex Dieter wrote:
Daniel J Walsh wrote:
Rex Dieter wrote:
See also:
http://bugzilla.redhat.com/243505
Raw Audit Messages
avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500
euid=0
exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0
name="kdm.log" path="/var/log/kdm.log" pid=3804
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0
Well you have a few of choices.
1. Ignore it for now, since I doubt it causes any problem.
2. Write custom policy for it.
# grep pam_console_t /var/log/audit/audit.log | audit2allow -M
mypamconsole
# semodule -i mypamconsole.pp
3. Wait for the next policy update which will write a rule to
dontaudit this.
Would it be-better/help if kdm.log was in /var/log/kdm/ dir instead of
/var/log/ directly?
-- Rex
Ordinarily yes, but in this case it does not matter. The problem is a
redirection of stdout to the log file and pam_console_t does not have
permission to write there. So it generates an avc when it starts
pam_console. pam_console runs anyways and completes.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
