Re: RHEL 5.3 and sealert -b

[George Magklaras <georgios@xxxxxxxxxxxxx>]

Hi again,

ESGLinux wrote:
> > in /var/log/audit/audit.log there are a lot of logs with AVC
> > ...
> >
> > u:system_r:setroubleshootd_t:s0
> > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> > type=AVC msg=audit(1236072678.050:68): avc:  denied  { write } for
> > pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> > scontext=system_u:system_r:setroubleshootd_t:s0
> > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> > type=AVC msg=audit(1236072738.057:69): avc:  denied  { write } for
> > pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> > scontext=system_u:system_r:setroubleshootd_t:s0
> > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> > type=AVC msg=audit(1236085050.837:8): avc:  denied  { write } for  pid=2123
> > comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> > scontext=system_u:system_r:setroubleshootd_t:s0
> > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> > type=USER_TTY msg=audit(1236085103.658:21): user pid=2940 uid=0 auid=0
> > subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='grep AVC audit.log '
> > type=AVC msg=audit(1236085110.848:22): avc:  denied  { write } for
> > pid=2123 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> > scontext=system_u:system_r:setroubleshootd_t:s0
> > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> > type=USE

These messages indicate that setroubleshootd itself has problems 
communicating with the OS audit daemon. Interesting! Could it be that 
you should try to restart the audit daemon by doing a service auditd 
stop followed by a service auditd start.

If the problem is not cured by this, then you need to look at the 
context of the files been shown in the AVC messages( 
name="audispd_events" dev=hda8 ino=16329). I am guessing that this 
probably refers to a file under /var/run:

srw-r-----  root    root    user_u:object_r:audisp_var_run_t audispd_events
-rw-r--r--  root    root    user_u:object_r:auditd_var_run_t auditd.pid
drwxr-xr-x  root    root    system_u:object_r:setroubleshoot_var_run_t 
setroubleshoot


You should then have at this point access to these files in the correct 
SElinux context under /var/run and try to make it winge by executing a 
manually installed version of Open Office 3. You should see the star 
icon popping up.



--
--
George Magklaras BSc Hons MPhil
RHCE:805008309135525

Senior Computer Systems Engineer/UNIX-Linux Systems Administrator
EMBnet Technical Management Board
The Biotechnology Centre of Oslo,
University of Oslo
http://folk.uio.no/georgios



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list