Attached is the dmesg errors grepped to output avc errors.
Also, I am having trouble with logging out of gnome. Instead of poweroff command, I get an unkmown user error dialog message. Poweroff does nothing. I have to run this from root to get it to poweroff.
Sorry for the alias.
Jim
audit(1079481254.697:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=console dev=hdb2 ino=752210 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir audit(1079481256.567:0): avc: denied { read } for pid=3310 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file audit(1079481256.567:0): avc: denied { getattr } for pid=3310 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file audit(1079481260.180:0): avc: denied { search } for pid=3312 exe=/usr/bin/ssh-agent name=home dev=hdb2 ino=1030177 scontext=user_u:user_r:user_ssh_agent_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481273.536:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=.gnome2 dev=hdb2 ino=33285 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481273.536:0): avc: denied { read } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file audit(1079481273.536:0): avc: denied { getattr } for pid=3307 exe=/usr/X11R6/bin/XFree86 path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file audit(1079481275.105:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079481275.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.fam_socket scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.173:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079481275.175:0): avc: denied { write } for pid=3335 exe=/usr/libexec/gnome-settings-daemon name=.famjOWPcN dev=hdb2 ino=278074 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file audit(1079481275.175:0): avc: denied { connectto } for pid=3335 exe=/usr/libexec/gnome-settings-daemon path=/tmp/.famjOWPcN scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.178:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famjOWPcN scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.180:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file audit(1079481275.180:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/etc/mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079481275.181:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481275.181:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481275.276:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/mime-info/gnome-vfs.keys dev=hdb2 ino=229748 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.gnome dev=hdb2 ino=2224863 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.729:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.730:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.766:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info/user.mime dev=hdb2 ino=1111959 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=file audit(1079481279.834:0): avc: denied { write } for pid=3366 exe=/usr/bin/magicdev name=fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file audit(1079481279.835:0): avc: denied { ioctl } for pid=3366 exe=/usr/bin/magicdev path=/dev/fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481282.526:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481286.686:0): avc: denied { use } for pid=3416 exe=/sbin/pam_timestamp_check path=/dev/tty2 dev=hdb2 ino=71750 scontext=user_u:user_r:pam_t tcontext=system_u:system_r:local_login_t tclass=fd audit(1079481286.688:0): avc: denied { sys_tty_config } for pid=3416 exe=/sbin/pam_timestamp_check capability=26 scontext=user_u:user_r:pam_t tcontext=user_u:user_r:pam_t tclass=capability audit(1079481292.262:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481300.966:0): avc: denied { read } for pid=3425 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file audit(1079481305.741:0): avc: denied { setattr } for pid=3433 exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file audit(1079481306.919:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079481306.930:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481318.752:0): avc: denied { read } for pid=3439 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file audit(1079481318.753:0): avc: denied { getattr } for pid=3439 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079482042.883:0): avc: denied { search } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { write } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { add_name } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { create } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file audit(1079482042.923:0): avc: denied { setattr } for pid=3501 exe=/bin/su name=.xauthtZDJwx dev=hdb2 ino=360078 scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file audit(1079482500.573:0): avc: denied { read } for pid=3539 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079482629.580:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079482650.058:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079482650.109:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079482650.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.115:0): avc: denied { write } for pid=3554 exe=/usr/bin/kdeinit name=.famrrGRJP dev=hdb2 ino=278715 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file audit(1079482650.115:0): avc: denied { connectto } for pid=3554 exe=/usr/bin/kdeinit path=/tmp/.famrrGRJP scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.116:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.287:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482650.288:0): avc: denied { search } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482650.334:0): avc: denied { read } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482650.335:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim/ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.439:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.441:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482651.441:0): avc: denied { add_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482651.441:0): avc: denied { create } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.442:0): avc: denied { setattr } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.017:0): avc: denied { remove_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482660.017:0): avc: denied { rename } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.017:0): avc: denied { unlink } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.024:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycocastamp dev=hdb2 ino=376977 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=file audit(1079482660.175:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.kde dev=hdb2 ino=737042 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.176:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.kde/share/servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.177:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.179:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/servicetypes/kcomprfilter.desktop dev=hdb2 ino=196659 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file audit(1079482660.787:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/applications/redhat-web.desktop dev=hdb2 ino=1717246 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=lnk_file audit(1079482810.277:0): avc: denied { setattr } for pid=3567 exe=/usr/bin/gnome-volume-control name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
Penny Cornette wrote:
Attached is the dmesg errors grepped to output avc errors.
Also, I am having trouble with logging out of gnome. Instead of poweroff command, I get an unkmown user error dialog message. Poweroff does nothing. I have to run this from root to get it to poweroff.
Sorry for the alias.
Jim
You should turn off sgi_fam chkconfig sgi_fam off
This is generating most of the errors and will be turned off by default in Test2. I have added fixes for a few of your other problems.
policy-1.8-19
Thanks for the messages.
Dan
audit(1079481254.697:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=console dev=hdb2 ino=752210 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir audit(1079481256.567:0): avc: denied { read } for pid=3310 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file audit(1079481256.567:0): avc: denied { getattr } for pid=3310 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file audit(1079481260.180:0): avc: denied { search } for pid=3312 exe=/usr/bin/ssh-agent name=home dev=hdb2 ino=1030177 scontext=user_u:user_r:user_ssh_agent_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481273.536:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=.gnome2 dev=hdb2 ino=33285 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481273.536:0): avc: denied { read } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file audit(1079481273.536:0): avc: denied { getattr } for pid=3307 exe=/usr/X11R6/bin/XFree86 path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file audit(1079481275.105:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079481275.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.fam_socket scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.173:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079481275.175:0): avc: denied { write } for pid=3335 exe=/usr/libexec/gnome-settings-daemon name=.famjOWPcN dev=hdb2 ino=278074 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file audit(1079481275.175:0): avc: denied { connectto } for pid=3335 exe=/usr/libexec/gnome-settings-daemon path=/tmp/.famjOWPcN scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.178:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famjOWPcN scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.180:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file audit(1079481275.180:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/etc/mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079481275.181:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481275.181:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481275.276:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/mime-info/gnome-vfs.keys dev=hdb2 ino=229748 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.gnome dev=hdb2 ino=2224863 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.729:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.730:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.766:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info/user.mime dev=hdb2 ino=1111959 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=file audit(1079481279.834:0): avc: denied { write } for pid=3366 exe=/usr/bin/magicdev name=fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file audit(1079481279.835:0): avc: denied { ioctl } for pid=3366 exe=/usr/bin/magicdev path=/dev/fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481282.526:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481286.686:0): avc: denied { use } for pid=3416 exe=/sbin/pam_timestamp_check path=/dev/tty2 dev=hdb2 ino=71750 scontext=user_u:user_r:pam_t tcontext=system_u:system_r:local_login_t tclass=fd audit(1079481286.688:0): avc: denied { sys_tty_config } for pid=3416 exe=/sbin/pam_timestamp_check capability=26 scontext=user_u:user_r:pam_t tcontext=user_u:user_r:pam_t tclass=capability audit(1079481292.262:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481300.966:0): avc: denied { read } for pid=3425 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file audit(1079481305.741:0): avc: denied { setattr } for pid=3433 exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file audit(1079481306.919:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079481306.930:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481318.752:0): avc: denied { read } for pid=3439 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file audit(1079481318.753:0): avc: denied { getattr } for pid=3439 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079482042.883:0): avc: denied { search } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { write } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { add_name } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { create } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file audit(1079482042.923:0): avc: denied { setattr } for pid=3501 exe=/bin/su name=.xauthtZDJwx dev=hdb2 ino=360078 scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file audit(1079482500.573:0): avc: denied { read } for pid=3539 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079482629.580:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079482650.058:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079482650.109:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079482650.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.115:0): avc: denied { write } for pid=3554 exe=/usr/bin/kdeinit name=.famrrGRJP dev=hdb2 ino=278715 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file audit(1079482650.115:0): avc: denied { connectto } for pid=3554 exe=/usr/bin/kdeinit path=/tmp/.famrrGRJP scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.116:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.287:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482650.288:0): avc: denied { search } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482650.334:0): avc: denied { read } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482650.335:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim/ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.439:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.441:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482651.441:0): avc: denied { add_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482651.441:0): avc: denied { create } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.442:0): avc: denied { setattr } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.017:0): avc: denied { remove_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482660.017:0): avc: denied { rename } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.017:0): avc: denied { unlink } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.024:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycocastamp dev=hdb2 ino=376977 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=file audit(1079482660.175:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.kde dev=hdb2 ino=737042 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.176:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.kde/share/servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.177:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.179:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/servicetypes/kcomprfilter.desktop dev=hdb2 ino=196659 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file audit(1079482660.787:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/applications/redhat-web.desktop dev=hdb2 ino=1717246 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=lnk_file audit(1079482810.277:0): avc: denied { setattr } for pid=3567 exe=/usr/bin/gnome-volume-control name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh dwalsh@redhat.com wrote:
You should turn off sgi_fam chkconfig sgi_fam off
This is generating most of the errors and will be turned off by default in Test2.
Its not clear here whether fam will be turned off just for test2 while issues are sorted out, or permanently including the FC2 final release.
If the latter then I'd be concerned about losing the file monitoring functionality and I suspect a lot of users will complain that the file browsers are broken and not updating correctly.
I've googled for an explanation of what the problem is with fam/selinux but didn't come up with anything. I'd be curious to know what it is. Or even if there's a new replacement which supercedes it.
Cheers,
Martin.
On Wed, 17 Mar 2004 21:01, Martin Ebourne lists@ebourne.me.uk wrote:
I've googled for an explanation of what the problem is with fam/selinux but didn't come up with anything. I'd be curious to know what it is. Or even if there's a new replacement which supercedes it.
The problem is that famd is an application which accepts network connections, wants read access to every file that any user can access. If you want to have a secure system you don't want many such programs.
Remote famd operation is only for non-polling notifications over the network. For most people having polling for file status changes on NFS will probably be OK.
Russell Coker russell@coker.com.au wrote:
The problem is that famd is an application which accepts network connections, wants read access to every file that any user can access. If you want to have a secure system you don't want many such programs.
Surely it doesn't need access to the file contents - just to stat them, so access to directories (still a security issue, I agree).
Remote famd operation is only for non-polling notifications over the network. For most people having polling for file status changes on NFS will probably be OK.
I agree with disabling remote famd, but the original post appeared to be disabling the daemon entirely, which I expect would prevent local file monitoring too. Or do gnome/kde use dnotify directly?
Also, I thought RH/Fedora already shipped with remote famd disabled.
Cheers,
Martin.
On Wed, 17 Mar 2004 22:39, Martin Ebourne lists@ebourne.me.uk wrote:
Russell Coker russell@coker.com.au wrote:
The problem is that famd is an application which accepts network connections, wants read access to every file that any user can access. If you want to have a secure system you don't want many such programs.
Surely it doesn't need access to the file contents - just to stat them, so access to directories (still a security issue, I agree).
Giving access to file names is still a security issue. If it can run with only { getattr search } access to directories and getattr access to files then it won't be so bad. Of course being able to remotely monitor what files someone is writing too also provides some issues (and for some files the names are predictable).
Remote famd operation is only for non-polling notifications over the network. For most people having polling for file status changes on NFS will probably be OK.
I agree with disabling remote famd, but the original post appeared to be disabling the daemon entirely, which I expect would prevent local file monitoring too. Or do gnome/kde use dnotify directly?
I don't think that the command Dan suggested would turn it off entirely. The libfam functionality linked into applications should still do everything you want locally.
Also, I thought RH/Fedora already shipped with remote famd disabled.
Not last time I checked.
Russell Coker wrote:
On Wed, 17 Mar 2004 22:39, Martin Ebourne lists@ebourne.me.uk wrote:
Russell Coker russell@coker.com.au wrote:
The problem is that famd is an application which accepts network connections, wants read access to every file that any user can access. If you want to have a secure system you don't want many such programs.
Surely it doesn't need access to the file contents - just to stat them, so access to directories (still a security issue, I agree).
Giving access to file names is still a security issue. If it can run with only { getattr search } access to directories and getattr access to files then it won't be so bad. Of course being able to remotely monitor what files someone is writing too also provides some issues (and for some files the names are predictable).
We have turned it off for test2 and intend to have a replacement. Basically we need one that runs in user space and has access to all files that the user has access to. Currently famd does stuff with portmapper and still requires a network communication even if it is only allowing localhost. In FC1 it was locked down to localhost. We realize the that fam provides a needed feature, and are working to replace it.
Dan
Remote famd operation is only for non-polling notifications over the network. For most people having polling for file status changes on NFS will probably be OK.
I agree with disabling remote famd, but the original post appeared to be disabling the daemon entirely, which I expect would prevent local file monitoring too. Or do gnome/kde use dnotify directly?
I don't think that the command Dan suggested would turn it off entirely. The libfam functionality linked into applications should still do everything you want locally.
Also, I thought RH/Fedora already shipped with remote famd disabled.
Not last time I checked.
selinux@lists.fedoraproject.org