I give up! Help on avc message for dev dm-0
Gianfranco Durin
gdurin at tele2.it
Wed Sep 20 15:16:08 UTC 2006
Paul Howarth wrote:
> Gianfranco Durin wrote:
>> Paul Howarth wrote:
>> ...
>>>> I installed the audit package, then after reboot I have
>>>>
>>>> > # ausearch -a 364
>>>>
>>>> type=USER_AUTH msg=audit(1158759070.643:364): user pid=2593 uid=0
>>>> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM:
>>>> authentication acct=gf : exe="/usr/sbin/gdm-binary" (hostname=?,
>>>> addr=?, terminal=:0 res=success)'
>>>>
>>>> (Not sure if it refers to the previous message, by the way)
>>>
>>> It doesn't, because you have rebooted. Are you still getting the
>>> denials? If you can find one since the reboot, try the ausearch again
>>> and use the number after the ":" in the audit message (364 in the
>>> case above).
>>>
>>>> > # ls -lZd /var
>>>>
>>>> drwxr-xr-x root root system_u:object_r:var_t /var
>>>
>>> That one looks OK.
>>>
>>> Paul.
>>>
>>
>> I am a little confused.
>> After rebooting again, I have about 300 messages of the same kind,
>> similar to the first one:
>>
>> Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc: denied
>> { search } for pid=1359 comm="pam_console_app" name="var" dev=dm-0
>> ino=130817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>
>> but...
>>
>> ausearch -a 308
>>
>> returns
>> <no matches>
>>
>> The same for all the others...
>
> Not sure what's going on there. Can you find all matches of
> 1158761731.078:308 in the log file using grep?
>
> Paul.
>
yes
cat /var/log/messages |grep 1158761731.078:308
Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc: denied {
search } for pid=1359 comm="pam_console_app" name="var" dev=dm-0
ino=130817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
Wait, I found this:
aureport -u -i
but all the events ID are larger than ID of the messages similar to the
previous one. These are the only IDs which give me a result with ausearch
time->Wed Sep 20 16:16:03 2006
type=USER_AUTH msg=audit(1158761763.116:362): user pid=2487 uid=0
auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM:
authentication acct=root : exe="/usr/bin/perl" (hostname=?, addr=?,
terminal=? res=failed)'
time->Wed Sep 20 16:16:06 2006
type=USER_ERR msg=audit(1158761766.696:363): user pid=2549 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM:
bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?,
terminal=console res=failed)'
very strange...
In any case, what is dm-0?
thanks
Gianfranco
More information about the fedora-list
mailing list