I give up! Help on avc message for dev dm-0
Paul Howarth
paul at city-fan.org
Wed Sep 20 14:47:55 UTC 2006
Gianfranco Durin wrote:
> Paul Howarth wrote:
> ...
>>> I installed the audit package, then after reboot I have
>>>
>>> > # ausearch -a 364
>>>
>>> type=USER_AUTH msg=audit(1158759070.643:364): user pid=2593 uid=0
>>> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM:
>>> authentication acct=gf : exe="/usr/sbin/gdm-binary" (hostname=?,
>>> addr=?, terminal=:0 res=success)'
>>>
>>> (Not sure if it refers to the previous message, by the way)
>>
>> It doesn't, because you have rebooted. Are you still getting the
>> denials? If you can find one since the reboot, try the ausearch again
>> and use the number after the ":" in the audit message (364 in the case
>> above).
>>
>>> > # ls -lZd /var
>>>
>>> drwxr-xr-x root root system_u:object_r:var_t /var
>>
>> That one looks OK.
>>
>> Paul.
>>
>
> I am a little confused.
> After rebooting again, I have about 300 messages of the same kind,
> similar to the first one:
>
> Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc: denied {
> search } for pid=1359 comm="pam_console_app" name="var" dev=dm-0
> ino=130817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:file_t:s0 tclass=dir
>
> but...
>
> ausearch -a 308
>
> returns
> <no matches>
>
> The same for all the others...
Not sure what's going on there. Can you find all matches of
1158761731.078:308 in the log file using grep?
Paul.
More information about the fedora-list
mailing list