I give up! Help on avc message for dev dm-0

Gianfranco Durin gdurin at tele2.it
Wed Sep 20 15:16:08 UTC 2006 

Paul Howarth wrote:
> Gianfranco Durin wrote:
>> Paul Howarth wrote:
>> ...
>>>> I installed the audit package, then after reboot I have
>>>>
>>>>  > # ausearch -a 364
>>>>
>>>> type=USER_AUTH msg=audit(1158759070.643:364): user pid=2593 uid=0 
>>>> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: 
>>>> authentication acct=gf : exe="/usr/sbin/gdm-binary" (hostname=?, 
>>>> addr=?, terminal=:0 res=success)'
>>>>
>>>> (Not sure if it refers to the previous message, by the way)
>>>
>>> It doesn't, because you have rebooted. Are you still getting the 
>>> denials? If you can find one since the reboot, try the ausearch again 
>>> and use the number after the ":" in the audit message (364 in the 
>>> case above).
>>>
>>>>  > # ls -lZd /var
>>>>
>>>> drwxr-xr-x  root root system_u:object_r:var_t          /var
>>>
>>> That one looks OK.
>>>
>>> Paul.
>>>
>>
>> I am a little confused.
>> After rebooting again, I have about 300 messages of the same kind, 
>> similar to the first one:
>>
>> Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc:  denied  
>> { search } for  pid=1359 comm="pam_console_app" name="var" dev=dm-0 
>> ino=130817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>>
>> but...
>>
>> ausearch -a 308
>>
>> returns
>> <no matches>
>>
>> The same for all the others...
> 
> Not sure what's going on there. Can you find all matches of 
> 1158761731.078:308 in the log file using grep?
> 
> Paul.
> 
yes

cat /var/log/messages |grep 1158761731.078:308

Sep 20 16:16:11 ethan kernel: audit(1158761731.078:308): avc:  denied  { 
search } for  pid=1359 comm="pam_console_app" name="var" dev=dm-0 
ino=130817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 
tcontext=system_u:object_r:file_t:s0 tclass=dir

Wait, I found this:
aureport -u -i

but all the events ID are larger than ID of the messages similar to the 
previous one. These are the only IDs which give me a result with ausearch

time->Wed Sep 20 16:16:03 2006
type=USER_AUTH msg=audit(1158761763.116:362): user pid=2487 uid=0 
auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: 
authentication acct=root : exe="/usr/bin/perl" (hostname=?, addr=?, 
terminal=? res=failed)'

time->Wed Sep 20 16:16:06 2006
type=USER_ERR msg=audit(1158761766.696:363): user pid=2549 uid=0 
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: 
bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, 
terminal=console res=failed)'


very strange...

In any case, what is dm-0?

thanks
Gianfranco

More information about the fedora-list mailing list