Dear all,
I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s):
This one does not go away :(
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port <Unknown> Host riohigh Source RPM Packages cronie-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 177 First Seen Mon 02 Mar 2009 07:11:37 PM CST Last Seen Wed 25 Mar 2009 04:57:03 PM CST Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
I can't modify my crontab file:
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. [olivares@riohigh ~]$
if I disable selinux, I can modify it and view it, but not with selinux enabled.
I got greeted with the following:
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 7 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID d3d42e40-6a28-48cf-8717-b85579c55bad Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 23 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine.
Please help this is no longer fun as it once was.
Regards,
Antonio
On 03/25/2009 07:03 PM, Antonio Olivares wrote:
Dear all,
I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s):
This one does not go away :(
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port<Unknown> Host riohigh Source RPM Packages cronie-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 177 First Seen Mon 02 Mar 2009 07:11:37 PM CST Last Seen Wed 25 Mar 2009 04:57:03 PM CST Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
I can't modify my crontab file:
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. [olivares@riohigh ~]$
if I disable selinux, I can modify it and view it, but not with selinux enabled.
I got greeted with the following:
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port<Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 7 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID d3d42e40-6a28-48cf-8717-b85579c55bad Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port<Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 23 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine.
Please help this is no longer fun as it once was.
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The kde read/writing to /.kde is a kde bug/ kdm should have a home directory that we could give access to, not /. I have this setup and although it genetates AVC's I am able to login fine. Although gdm works better.
If you want to get rid of these avc's you could execute.
# semanage fcontext -a -t xdm_var_run_t '/.kde(/.*)?' # restorecon -R -v /.kde
Running crontab -e as root, problem is also a kdebase/konsole problem of leaked file descriptors. If you do an ls /proc/self/fd in the konsole you will see a whole bunch of file descriptors that have been leaked to the konsole. When you start a confined domain from the console SELinux reports these leaked file descriptors and closes them.
ls -l /proc/self/fd
should show something like
# ls -l /proc/self/fd total 0 lr-x------. 1 root root 64 2009-03-26 08:31 0 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 1 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 2 -> /dev/pts/4 lr-x------. 1 root root 64 2009-03-26 08:31 3 -> /proc/32759/fd
Which are three fd's to the terminal and one to the directory you are listing.
I see no avc that would break crontab -e?
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration.
Looks like you are running this as a normal user? Or are you running as root?
I can not get this to happen on my machine, so I think it might be something about the way you have pam setup? Do you have anything special setup in pam?
The kde read/writing to /.kde is a kde bug/ kdm should have a home directory that we could give access to, not /. I have this setup and although it genetates AVC's I am able to login fine. Although gdm works better.
If you want to get rid of these avc's you could execute.
# semanage fcontext -a -t xdm_var_run_t '/.kde(/.*)?' # restorecon -R -v /.kde
Running crontab -e as root, problem is also a kdebase/konsole problem of leaked file descriptors. If you do an ls /proc/self/fd in the konsole you will see a whole bunch of file descriptors that have been leaked to the konsole. When you start a confined domain from the console SELinux reports these leaked file descriptors and closes them.
ls -l /proc/self/fd
should show something like
# ls -l /proc/self/fd total 0 lr-x------. 1 root root 64 2009-03-26 08:31 0 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 1 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 2 -> /dev/pts/4 lr-x------. 1 root root 64 2009-03-26 08:31 3 -> /proc/32759/fd
Which are three fd's to the terminal and one to the directory you are listing.
I see no avc that would break crontab -e?
The avc denies crontab to display it and therefore the error. This happens on two machines running rawhide since the third one broke down :(. I can't test it there :(
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration.
Looks like you are running this as a normal user? Or are you running as root?
Normal user, even root can't edit crontab because the authority is denied :(, yes pam configuration :)
I can not get this to happen on my machine, so I think it might be something about the way you have pam setup? Do you have anything special setup in pam?
No, just regular default setup as it comes. Nothing special set aside.
Will try to apply the changes and report back. Thanks for helping out.
Regards,
Antonio
Antonio Olivares wrote:
The kde read/writing to /.kde is a kde bug/ kdm should have a home directory that we could give access to, not /. I have this setup and although it genetates AVC's I am able to login fine. Although gdm works better.
If you want to get rid of these avc's you could execute.
# semanage fcontext -a -t xdm_var_run_t '/.kde(/.*)?' # restorecon -R -v /.kde
Running crontab -e as root, problem is also a kdebase/konsole problem of leaked file descriptors. If you do an ls /proc/self/fd in the konsole you will see a whole bunch of file descriptors that have been leaked to the konsole. When you start a confined domain from the console SELinux reports these leaked file descriptors and closes them.
ls -l /proc/self/fd
should show something like
# ls -l /proc/self/fd total 0 lr-x------. 1 root root 64 2009-03-26 08:31 0 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 1 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 2 -> /dev/pts/4 lr-x------. 1 root root 64 2009-03-26 08:31 3 -> /proc/32759/fd
Which are three fd's to the terminal and one to the directory you are listing.
I see no avc that would break crontab -e?
The avc denies crontab to display it and therefore the error. This happens on two machines running rawhide since the third one broke down :(. I can't test it there :(
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration.
Looks like you are running this as a normal user? Or are you running as root?
Normal user, even root can't edit crontab because the authority is denied :(, yes pam configuration :)
I can not get this to happen on my machine, so I think it might be something about the way you have pam setup? Do you have anything special setup in pam?
No, just regular default setup as it comes. Nothing special set aside.
I can confirm the same behavior when trying to run "crontab -l" or "crontab -e" both as non-root and root user.
Authentication service cannot retrieve authentication info You (rnichols) are not allowed to access to (crontab) because of pam configuration.
OR
Authentication service cannot retrieve authentication info You (root) are not allowed to access to (crontab) because of pam configuration.
The problem goes away when running in permissive mode. Regardless of permissive vs. enforcing mode, no AVCs are logged. No changes have been made to the rawhide SELinux or PAM configurations. I do see this message logged in /var/log/secure for each unsuccessful attempt:
crontab: pam_unix(crond:account): helper binary execve failed: Permission denied
selinux-policy-3.6.8-3.fc11.noarch selinux-policy-targeted-3.6.8-3.fc11.noarch authconfig-5.4.7-2.fc11.i586
On 03/26/2009 11:43 AM, Robert Nichols wrote:
Antonio Olivares wrote:
The kde read/writing to /.kde is a kde bug/ kdm should have a home directory that we could give access to, not /. I have this setup and although it genetates AVC's I am able to login fine. Although gdm works better.
If you want to get rid of these avc's you could execute.
# semanage fcontext -a -t xdm_var_run_t '/.kde(/.*)?' # restorecon -R -v /.kde
Running crontab -e as root, problem is also a kdebase/konsole problem of leaked file descriptors. If you do an ls /proc/self/fd in the konsole you will see a whole bunch of file descriptors that have been leaked to the konsole. When you start a confined domain from the console SELinux reports these leaked file descriptors and closes them.
ls -l /proc/self/fd
should show something like
# ls -l /proc/self/fd total 0 lr-x------. 1 root root 64 2009-03-26 08:31 0 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 1 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 2 -> /dev/pts/4 lr-x------. 1 root root 64 2009-03-26 08:31 3 -> /proc/32759/fd
Which are three fd's to the terminal and one to the directory you are listing.
I see no avc that would break crontab -e?
The avc denies crontab to display it and therefore the error. This happens on two machines running rawhide since the third one broke down :(. I can't test it there :(
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration.
Looks like you are running this as a normal user? Or are you running as root?
Normal user, even root can't edit crontab because the authority is denied :(, yes pam configuration :)
I can not get this to happen on my machine, so I think it might be something about the way you have pam setup? Do you have anything special setup in pam?
No, just regular default setup as it comes. Nothing special set aside.
I can confirm the same behavior when trying to run "crontab -l" or "crontab -e" both as non-root and root user.
Authentication service cannot retrieve authentication info You (rnichols) are not allowed to access to (crontab) because of pam configuration.
OR
Authentication service cannot retrieve authentication info You (root) are not allowed to access to (crontab) because of pam configuration.
The problem goes away when running in permissive mode. Regardless of permissive vs. enforcing mode, no AVCs are logged. No changes have been made to the rawhide SELinux or PAM configurations. I do see this message logged in /var/log/secure for each unsuccessful attempt:
crontab: pam_unix(crond:account): helper binary execve failed: Permission denied
selinux-policy-3.6.8-3.fc11.noarch selinux-policy-targeted-3.6.8-3.fc11.noarch authconfig-5.4.7-2.fc11.i586
Do you see an SELINUX_ERR in /var/log/audit/audit.log?
WHat does id -Z show?
Could you try
# semodule -DB
Then look for avcs about cron.
--- On Fri, 3/27/09, Daniel J Walsh dwalsh@redhat.com wrote:
From: Daniel J Walsh dwalsh@redhat.com Subject: Re: selinux does not like crontab :(, default_t, kde To: "Robert Nichols" rnicholsNOSPAM@comcast.net, "Antonio Olivares" olivares14031@yahoo.com, Fedora-SELinux-List@redhat.com Date: Friday, March 27, 2009, 4:54 AM On 03/26/2009 11:43 AM, Robert Nichols wrote:
Antonio Olivares wrote:
The kde read/writing to /.kde is a kde bug/
kdm should
have a home directory that we could give
access to, not /. I have this
setup and although it genetates AVC's I am
able to login fine.
Although gdm works better.
If you want to get rid of these avc's you
could
execute.
# semanage fcontext -a -t xdm_var_run_t '/.kde(/.*)?' # restorecon -R -v /.kde
Running crontab -e as root, problem is also a kdebase/konsole problem of leaked file
descriptors. If you do an ls
/proc/self/fd in the konsole you will see a whole bunch of file
descriptors that have
been leaked to the konsole. When you start a
confined domain from the
console SELinux reports these leaked file
descriptors and closes them.
ls -l /proc/self/fd
should show something like
# ls -l /proc/self/fd total 0 lr-x------. 1 root root 64 2009-03-26 08:31 0
->
/dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 1
->
/dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 2
->
/dev/pts/4 lr-x------. 1 root root 64 2009-03-26 08:31 3
->
/proc/32759/fd
Which are three fd's to the terminal and
one to the
directory you are listing.
I see no avc that would break crontab -e?
The avc denies crontab to display it and therefore
the error. This
happens on two machines running rawhide since the
third one broke down
:(. I can't test it there :(
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve
authentication info
You (olivares) are not allowed to access to
(crontab)
because of pam configuration.
Looks like you are running this as a normal
user? Or are
you running as root?
Normal user, even root can't edit crontab
because the authority is
denied :(, yes pam configuration :)
I can not get this to happen on my machine, so
I think it
might be something about the way you have pam
setup? Do you have
anything special setup in pam?
No, just regular default setup as it comes.
Nothing special set aside.
I can confirm the same behavior when trying to run
"crontab -l" or
"crontab -e" both as non-root and root user.
Authentication service cannot retrieve authentication
info
You (rnichols) are not allowed to access to (crontab)
because of pam
configuration.
OR
Authentication service cannot retrieve authentication
info
You (root) are not allowed to access to (crontab)
because of pam
configuration.
The problem goes away when running in permissive mode.
Regardless of
permissive vs. enforcing mode, no AVCs are logged. No changes
have been made to the
rawhide SELinux or PAM configurations. I do see this
message logged in
/var/log/secure for each unsuccessful attempt:
crontab: pam_unix(crond:account): helper binary execve
failed:
Permission denied
selinux-policy-3.6.8-3.fc11.noarch selinux-policy-targeted-3.6.8-3.fc11.noarch authconfig-5.4.7-2.fc11.i586
Do you see an SELINUX_ERR in /var/log/audit/audit.log?
WHat does id -Z show?
Could you try
# semodule -DB
Then look for avcs about cron.
In applying the fixes, I got back another sealert denying me the right to change it :(
[olivares@riohigh ~]$ su - Password: [root@riohigh ~]# semanage fcontext -a -t xdm_var_run_t '/.kde(/.*)?' [root@riohigh ~]# restorecon -R -v /.kde restorecon reset /.kde context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 restorecon reset /.kde/share context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 restorecon reset /.kde/share/config context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 You have new mail in /var/spool/mail/root [root@riohigh ~]#
[olivares@riohigh ~]$ ls -l /proc/self/fd total 0 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 0 -> /dev/pts/2 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 1 -> /dev/pts/2 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 10 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 11 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 14 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 15 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 17 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 2 -> /dev/pts/2 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 20 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 21 -> socket:[18111] lr-x------. 1 olivares olivares 64 2009-03-27 06:08 3 -> /proc/3853/fd lrwx------. 1 olivares olivares 64 2009-03-27 06:08 9 -> socket:[18418] [olivares@riohigh ~]$
[root@riohigh ~]# ls -l /proc/self/fd total 0 lrwx------. 1 root root 64 2009-03-27 06:08 0 -> /dev/pts/1 lrwx------. 1 root root 64 2009-03-27 06:08 1 -> /dev/pts/1 lrwx------. 1 root root 64 2009-03-27 06:08 2 -> /dev/pts/1 lrwx------. 1 root root 64 2009-03-27 06:08 20 -> socket:[18111] lrwx------. 1 root root 64 2009-03-27 06:08 21 -> socket:[18111] lr-x------. 1 root root 64 2009-03-27 06:08 3 -> /proc/3819/fd [root@riohigh ~]#
Summary:
SELinux is preventing restorecon (setfiles_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by restorecon. It is not expected that this access is required by restorecon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host riohigh Source RPM Packages policycoreutils-2.0.62-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 2 First Seen Fri 27 Mar 2009 06:03:21 AM CST Last Seen Fri 27 Mar 2009 06:03:21 AM CST Local ID 280758b9-8eca-415e-9097-612ca0d9651f Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1238155401.283:63): arch=40000003 syscall=11 success=yes exit=0 a0=9533b00 a1=95336d8 a2=9534bc0 a3=95336d8 items=0 ppid=3630 pid=3738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
[root@riohigh ~]# cat /var/log/audit/audit.log | grep 'avc' type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932306.888:79): avc: denied { read write } for pid=5219 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932306.888:79): avc: denied { read write } for pid=5219 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237996117.239:8): avc: denied { create } for pid=2408 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181854]" dev=sockfs ino=181854 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181854]" dev=sockfs ino=181854 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238020694.347:13): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.348:14): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.348:15): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.348:16): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.355:17): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.356:18): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.356:19): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.356:20): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:21): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:22): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:23): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:24): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:25): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:26): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:27): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:28): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.359:29): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.359:30): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.359:31): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.383:32): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.397:33): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.425:34): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.432:35): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.481:36): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.482:37): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.486:38): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.486:39): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.488:41): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238106483.931:8): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.932:9): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.932:10): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.933:11): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.951:12): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.951:13): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:14): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:15): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:16): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:17): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.953:18): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.953:19): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.953:20): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:21): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:22): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:23): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:24): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.955:25): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.955:26): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.959:27): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.005:28): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.021:29): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.060:30): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.122:31): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.142:32): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.147:33): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.148:34): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.148:35): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.180:36): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.181:37): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106526.630:40): avc: denied { search } for pid=2688 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=AVC msg=audit(1238106526.630:40): avc: denied { read } for pid=2688 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(1238106526.702:41): avc: denied { execute } for pid=2689 comm="pulseaudio" name="polkit-read-auth-helper" dev=sda5 ino=17300 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_auth_exec_t:s0 tclass=file type=AVC msg=audit(1238106526.702:41): avc: denied { read open } for pid=2689 comm="pulseaudio" name="polkit-read-auth-helper" dev=sda5 ino=17300 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_auth_exec_t:s0 tclass=file type=AVC msg=audit(1238106526.702:41): avc: denied { execute_no_trans } for pid=2689 comm="pulseaudio" path="/usr/libexec/polkit-read-auth-helper" dev=sda5 ino=17300 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_auth_exec_t:s0 tclass=file type=AVC msg=audit(1238106526.753:42): avc: denied { setattr } for pid=2690 comm="pulseaudio" name=".pulse" dev=sda5 ino=132410 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1238106526.756:43): avc: denied { read } for pid=2690 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:runtime" dev=sda5 ino=131673 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file type=AVC msg=audit(1238106526.765:44): avc: denied { write } for pid=2690 comm="pulseaudio" name="pulse-7jSoifiWvzLS" dev=sda5 ino=17108 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106526.765:44): avc: denied { add_name } for pid=2690 comm="pulseaudio" name="autospawn.lock" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106526.765:44): avc: denied { create } for pid=2690 comm="pulseaudio" name="autospawn.lock" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106526.765:44): avc: denied { write } for pid=2690 comm="pulseaudio" name="autospawn.lock" dev=sda5 ino=17316 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106526.854:45): avc: denied { read } for pid=2691 comm="pulseaudio" name="pulse-shm-868967743" dev=tmpfs ino=19899 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=file type=AVC msg=audit(1238106526.854:45): avc: denied { open } for pid=2691 comm="pulseaudio" name="pulse-shm-868967743" dev=tmpfs ino=19899 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=file type=AVC msg=audit(1238106526.854:46): avc: denied { getattr } for pid=2691 comm="pulseaudio" path="/dev/shm/pulse-shm-868967743" dev=tmpfs ino=19899 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=file type=AVC msg=audit(1238106527.020:47): avc: denied { read write } for pid=2691 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:device-volumes.i386-redhat-linux-gnu.gdbm" dev=sda5 ino=132646 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.020:47): avc: denied { open } for pid=2691 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:device-volumes.i386-redhat-linux-gnu.gdbm" dev=sda5 ino=132646 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.035:48): avc: denied { getattr } for pid=2691 comm="pulseaudio" path="/var/lib/gdm/.pulse/babc6121fcf79fbe86069a3248e578cc:device-volumes.i386-redhat-linux-gnu.gdbm" dev=sda5 ino=132646 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.415:51): avc: denied { lock } for pid=2691 comm="pulseaudio" path="/var/lib/gdm/.esd_auth" dev=sda5 ino=132649 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.436:52): avc: denied { create } for pid=2691 comm="pulseaudio" name="native" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1238106527.439:53): avc: denied { setattr } for pid=2691 comm="pulseaudio" name="native" dev=sda5 ino=19560 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1238106527.695:54): avc: denied { remove_name } for pid=2688 comm="pulseaudio" name="autospawn.lock" dev=sda5 ino=17316 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106527.695:54): avc: denied { unlink } for pid=2688 comm="pulseaudio" name="autospawn.lock" dev=sda5 ino=17316 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106560.602:62): avc: denied { read } for pid=2691 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:runtime" dev=sda5 ino=131673 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file type=AVC msg=audit(1238106560.602:62): avc: denied { write } for pid=2691 comm="pulseaudio" name="pulse-7jSoifiWvzLS" dev=sda5 ino=17108 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106560.602:62): avc: denied { remove_name } for pid=2691 comm="pulseaudio" name="native" dev=sda5 ino=19560 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106560.602:62): avc: denied { unlink } for pid=2691 comm="pulseaudio" name="native" dev=sda5 ino=19560 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1238106560.621:63): avc: denied { setattr } for pid=2691 comm="pulseaudio" name=".pulse" dev=sda5 ino=132410 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1238106560.622:64): avc: denied { write } for pid=2691 comm="pulseaudio" name="pid" dev=sda5 ino=17350 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106560.623:65): avc: denied { unlink } for pid=2691 comm="pulseaudio" name="pid" dev=sda5 ino=17350 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238154706.445:8): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.447:9): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.447:10): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.447:11): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.457:12): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:13): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:14): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:15): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:16): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.459:17): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.459:18): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.459:19): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:20): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:21): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:22): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:23): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.461:24): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.461:25): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.461:26): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.471:27): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.508:28): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.510:29): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.522:30): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.708:31): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.720:32): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.724:33): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.724:34): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.725:35): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.782:36): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.783:37): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238155282.150:61): avc: denied { read write } for pid=3671 comm="semanage" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238155282.150:61): avc: denied { read write } for pid=3671 comm="semanage" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket [root@riohigh ~]#
[root@riohigh ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@riohigh ~]#
[olivares@riohigh ~]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [olivares@riohigh ~]$
running the last one and seeing what will happen?
Thanks Robert for pointing out that the problems do exist and for helping out :) Thank you Daniel for helping out in looking for fixes to this problem :)
Regards,
Antonio
Daniel J Walsh wrote:
On 03/26/2009 11:43 AM, Robert Nichols wrote:
I can confirm the same behavior when trying to run "crontab -l" or "crontab -e" both as non-root and root user.
Authentication service cannot retrieve authentication info You (rnichols) are not allowed to access to (crontab) because of pam configuration.
OR
Authentication service cannot retrieve authentication info You (root) are not allowed to access to (crontab) because of pam configuration.
The problem goes away when running in permissive mode. Regardless of permissive vs. enforcing mode, no AVCs are logged. No changes have been made to the rawhide SELinux or PAM configurations. I do see this message logged in /var/log/secure for each unsuccessful attempt:
crontab: pam_unix(crond:account): helper binary execve failed: Permission denied
selinux-policy-3.6.8-3.fc11.noarch selinux-policy-targeted-3.6.8-3.fc11.noarch authconfig-5.4.7-2.fc11.i586
Do you see an SELINUX_ERR in /var/log/audit/audit.log?
WHat does id -Z show?
Could you try
# semodule -DB
Then look for avcs about cron.
I see this SELINUX_ERR in audit.log for each attempt:
type=SELINUX_ERR msg=audit(1238166172.444:23): security_compute_sid: invalid context unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process
After "semodule -DB", I still don't see any AVCs from cron. With or without the dontaudits removed, running "grep cron audit.log" shows these 3 lines for each attempt:
type=SELINUX_ERR msg=audit(1238167945.826:1307): security_compute_sid: invalid context unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1238167945.826:1307): arch=40000003 syscall=11 success=no exit=-13 a0=119d98 a1=bffd1030 a2=11c8e8 a3=119db4 items=0 ppid=3890 pid=3891 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1238167945.829:1308): user pid=3890 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="rnichols" exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)'
(Now running "semodule -B" to restore peace to my system!)
On 03/25/2009 07:03 PM, Antonio Olivares wrote:
Dear all,
I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s):
This one does not go away :(
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port<Unknown> Host riohigh Source RPM Packages cronie-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 177 First Seen Mon 02 Mar 2009 07:11:37 PM CST Last Seen Wed 25 Mar 2009 04:57:03 PM CST Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
I can't modify my crontab file:
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. [olivares@riohigh ~]$
if I disable selinux, I can modify it and view it, but not with selinux enabled.
I got greeted with the following:
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port<Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 7 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID d3d42e40-6a28-48cf-8717-b85579c55bad Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port<Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 23 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine.
Please help this is no longer fun as it once was.
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Update to
selinux-policy-3.6.10-2.fc11
Update to
selinux-policy-3.6.10-2.fc11
Not available :(
[root@riohigh ~]# yum update adobe-linux-i386 | 951 B 00:00 adobe-linux-i386/primary | 10 kB 00:00 adobe-linux-i386 17/17 rawhide/metalink | 7.1 kB 00:00 rawhide | 3.4 kB 00:00 rawhide/primary_db | 8.0 MB 00:24 Setting up Update Process No Packages marked for Update
Selinux is going crazy, the setroubleshooter hogs the CPU with a great deal of denials even in permissive mode. I hope I wake up next Monday and the problem goes away, hopefully with the release of Fedora 11 Beta :)
nsplugin, pulseaudio and others are also causing lots of trouble, problem is I tried to write a bug report but was unable to, setroubleshoot deamon died and I could not copy paste it :(
[olivares@riohigh ~]$ dmesg | grep 'avc' type=1400 audit(1238189886.196:3): avc: denied { search } for pid=1553 comm="ifconfig" name="selinux" dev=sda5 ino=25722 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=1400 audit(1238189886.196:4): avc: denied { read } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.196:5): avc: denied { open } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.196:6): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/etc/selinux/config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.197:7): avc: denied { getattr } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=1400 audit(1238189886.197:8): avc: denied { search } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=1400 audit(1238189886.197:9): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/selinux/class" dev=selinuxfs ino=26 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=1400 audit(1238189886.197:10): avc: denied { read } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=1400 audit(1238189886.198:11): avc: denied { open } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=1400 audit(1238189892.172:12): avc: denied { rlimitinh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process type=1400 audit(1238189892.172:13): avc: denied { siginh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process type=1400 audit(1238189892.172:14): avc: denied { noatsecure } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process
Here are some anyway even with enforcing=0(permissive mode) :(
Regards,
Antonio
On 03/27/2009 05:59 PM, Antonio Olivares wrote:
Update to
selinux-policy-3.6.10-2.fc11
Not available :(
[root@riohigh ~]# yum update adobe-linux-i386 | 951 B 00:00 adobe-linux-i386/primary | 10 kB 00:00 adobe-linux-i386 17/17 rawhide/metalink | 7.1 kB 00:00 rawhide | 3.4 kB 00:00 rawhide/primary_db | 8.0 MB 00:24 Setting up Update Process No Packages marked for Update
Selinux is going crazy, the setroubleshooter hogs the CPU with a great deal of denials even in permissive mode. I hope I wake up next Monday and the problem goes away, hopefully with the release of Fedora 11 Beta :)
nsplugin, pulseaudio and others are also causing lots of trouble, problem is I tried to write a bug report but was unable to, setroubleshoot deamon died and I could not copy paste it :(
[olivares@riohigh ~]$ dmesg | grep 'avc' type=1400 audit(1238189886.196:3): avc: denied { search } for pid=1553 comm="ifconfig" name="selinux" dev=sda5 ino=25722 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=1400 audit(1238189886.196:4): avc: denied { read } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.196:5): avc: denied { open } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.196:6): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/etc/selinux/config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.197:7): avc: denied { getattr } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=1400 audit(1238189886.197:8): avc: denied { search } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=1400 audit(1238189886.197:9): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/selinux/class" dev=selinuxfs ino=26 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=1400 audit(1238189886.197:10): avc: denied { read } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=1400 audit(1238189886.198:11): avc: denied { open } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=1400 audit(1238189892.172:12): avc: denied { rlimitinh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process type=1400 audit(1238189892.172:13): avc: denied { siginh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process type=1400 audit(1238189892.172:14): avc: denied { noatsecure } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process
Here are some anyway even with enforcing=0(permissive mode) :(
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This sounds like you have a mislabeled system. Rawhide has opened today. see if the update fixes your problems, otherwise try a relabel.
https://www.redhat.com/mailman/listinfo/fedora-selinux-list This sounds like you have a mislabeled system. Rawhide has opened today. see if the update fixes your problems, otherwise try a relabel.
Now it is not selinux's fault:
[olivares@riohigh Download]$ crontab -l cron/olivares: Permission denied [olivares@riohigh Download]$ crontab -e cron/olivares: Permission denied [olivares@riohigh Download]$ dmesg | grep 'avc' type=1400 audit(1238450106.840:4): avc: denied { read } for pid=1716 comm="dmesg" name="ld.so.cache" dev=sda5 ino=68454 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Wonder what could it be now?
Thanks,
Antonio
On 03/30/2009 06:20 PM, Antonio Olivares wrote:
https://www.redhat.com/mailman/listinfo/fedora-selinux-list This sounds like you have a mislabeled system. Rawhide has opened today. see if the update fixes your problems, otherwise try a relabel.
Now it is not selinux's fault:
[olivares@riohigh Download]$ crontab -l cron/olivares: Permission denied [olivares@riohigh Download]$ crontab -e cron/olivares: Permission denied [olivares@riohigh Download]$ dmesg | grep 'avc' type=1400 audit(1238450106.840:4): avc: denied { read } for pid=1716 comm="dmesg" name="ld.so.cache" dev=sda5 ino=68454 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Wonder what could it be now?
Thanks,
Antonio
That should be fixed in rawhide policy. selinux-policy-3.6.10-4.fc11.noarch
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
On 03/25/2009 07:03 PM, Antonio Olivares wrote:
Dear all,
I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s):
This one does not go away :(
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Update to
selinux-policy-3.6.10-2.fc11
Now that the update logjam has broken, this problem is fixed in selinux-policy*-3.6.10-4.fc11.
Thanks.
selinux@lists.fedoraproject.org