6:39 p.m.
Attached is the dmesg errors grepped to output avc errors.
Also, I am having trouble with logging out of gnome. Instead of poweroff
command, I get an unkmown user error dialog message. Poweroff does
nothing. I have to run this from root to get it to poweroff.
Sorry for the alias.
Jim
audit(1079481254.697:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86
name=console dev=hdb2 ino=752210 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:xdm_var_run_t tclass=dir
audit(1079481256.567:0): avc: denied { read } for pid=3310 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481256.567:0): avc: denied { getattr } for pid=3310 exe=/bin/bash
path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481260.180:0): avc: denied { search } for pid=3312 exe=/usr/bin/ssh-agent
name=home dev=hdb2 ino=1030177 scontext=user_u:user_r:user_ssh_agent_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481273.536:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86
name=.gnome2 dev=hdb2 ino=33285 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481273.536:0): avc: denied { read } for pid=3307 exe=/usr/X11R6/bin/XFree86
name=fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t
tcontext=user_u:object_r:user_home_t tclass=file
audit(1079481273.536:0): avc: denied { getattr } for pid=3307
exe=/usr/X11R6/bin/XFree86 path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hdb2
ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t
tclass=file
audit(1079481275.105:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys
dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t
tclass=dir
audit(1079481275.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam
path=/tmp/.fam_socket scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.173:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam
capability=0 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079481275.175:0): avc: denied { write } for pid=3335
exe=/usr/libexec/gnome-settings-daemon name=.famjOWPcN dev=hdb2 ino=278074
scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t
tclass=sock_file
audit(1079481275.175:0): avc: denied { connectto } for pid=3335
exe=/usr/libexec/gnome-settings-daemon path=/tmp/.famjOWPcN scontext=user_u:user_r:user_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.178:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam
path=/tmp/.famjOWPcN scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.180:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mtab
dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481275.180:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/etc/mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t
tclass=lnk_file
audit(1079481275.181:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342
dev= ino=219021314 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=dir
audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481275.181:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481275.276:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/usr/share/mime-info/gnome-vfs.keys dev=hdb2 ino=229748
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home
dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim
dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam
name=.gnome dev=hdb2 ino=2224863 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481275.729:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim/.gnome/mime-info dev=hdb2 ino=1112366
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t
tclass=dir
audit(1079481275.730:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam
name=mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481275.766:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim/.gnome/mime-info/user.mime dev=hdb2 ino=1111959
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t
tclass=file
audit(1079481279.834:0): avc: denied { write } for pid=3366 exe=/usr/bin/magicdev
name=fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
audit(1079481279.835:0): avc: denied { ioctl } for pid=3366 exe=/usr/bin/magicdev
path=/dev/fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t
tclass=lnk_file
audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481282.526:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481286.686:0): avc: denied { use } for pid=3416 exe=/sbin/pam_timestamp_check
path=/dev/tty2 dev=hdb2 ino=71750 scontext=user_u:user_r:pam_t
tcontext=system_u:system_r:local_login_t tclass=fd
audit(1079481286.688:0): avc: denied { sys_tty_config } for pid=3416
exe=/sbin/pam_timestamp_check capability=26 scontext=user_u:user_r:pam_t
tcontext=user_u:user_r:pam_t tclass=capability
audit(1079481292.262:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481300.966:0): avc: denied { read } for pid=3425 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481305.741:0): avc: denied { setattr } for pid=3433
exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hdb2 ino=2175537
scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
audit(1079481306.919:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam
capability=0 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079481306.930:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=jim
dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481318.752:0): avc: denied { read } for pid=3439 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481318.753:0): avc: denied { getattr } for pid=3439 exe=/bin/bash
path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home
dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim
dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079482042.883:0): avc: denied { search } for pid=3501 exe=/bin/su name=root
dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
audit(1079482042.898:0): avc: denied { write } for pid=3501 exe=/bin/su name=root
dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
audit(1079482042.898:0): avc: denied { add_name } for pid=3501 exe=/bin/su
name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=dir
audit(1079482042.898:0): avc: denied { create } for pid=3501 exe=/bin/su
name=.xauthtZDJwx scontext=user_u:user_r:user_su_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
audit(1079482042.923:0): avc: denied { setattr } for pid=3501 exe=/bin/su
name=.xauthtZDJwx dev=hdb2 ino=360078 scontext=user_u:user_r:user_su_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
audit(1079482500.573:0): avc: denied { read } for pid=3539 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t
tclass=lnk_file
audit(1079482629.580:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342
dev= ino=219021314 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=dir
audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079482650.058:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys
dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t
tclass=dir
audit(1079482650.109:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam
capability=0 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079482650.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam
path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.115:0): avc: denied { write } for pid=3554 exe=/usr/bin/kdeinit
name=.famrrGRJP dev=hdb2 ino=278715 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file
audit(1079482650.115:0): avc: denied { connectto } for pid=3554 exe=/usr/bin/kdeinit
path=/tmp/.famrrGRJP scontext=user_u:user_r:user_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.116:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam
path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.287:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit
path=/var/tmp/kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482650.288:0): avc: denied { search } for pid=3555 exe=/usr/bin/kdeinit
name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482650.334:0): avc: denied { read } for pid=3555 exe=/usr/bin/kdeinit
name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482650.335:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit
path=/var/tmp/kdecache-jim/ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482651.439:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit
name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482651.441:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit
name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482651.441:0): avc: denied { add_name } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t
tclass=dir
audit(1079482651.441:0): avc: denied { create } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t
tclass=file
audit(1079482651.442:0): avc: denied { setattr } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.017:0): avc: denied { remove_name } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482660.017:0): avc: denied { rename } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.017:0): avc: denied { unlink } for pid=3555 exe=/usr/bin/kdeinit
name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.024:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocastamp dev=hdb2 ino=376977 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079482660.175:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.kde
dev=hdb2 ino=737042 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079482660.176:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim/.kde/share/servicetypes dev=hdb2 ino=801647
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t
tclass=dir
audit(1079482660.177:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam
name=servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079482660.179:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/usr/share/servicetypes/kcomprfilter.desktop dev=hdb2 ino=196659
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file
audit(1079482660.787:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/usr/share/applications/redhat-web.desktop dev=hdb2 ino=1717246
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=lnk_file
audit(1079482810.277:0): avc: denied { setattr } for pid=3567
exe=/usr/bin/gnome-volume-control name=registry.xml dev=hdb2 ino=2175537
scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
10:53 p.m.
Penny Cornette wrote:
Attached is the dmesg errors grepped to output avc errors.
Also, I am having trouble with logging out of gnome. Instead of
poweroff command, I get an unkmown user error dialog message. Poweroff
does nothing. I have to run this from root to get it to poweroff.
Sorry for the alias.
Jim
You should turn off sgi_fam
chkconfig sgi_fam off
This is generating most of the errors and will be turned off by default
in Test2.
I have added fixes for a few of your other problems.
policy-1.8-19
Thanks for the messages.
Dan
------------------------------------------------------------------------
audit(1079481254.697:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86
name=console dev=hdb2 ino=752210 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:xdm_var_run_t tclass=dir
audit(1079481256.567:0): avc: denied { read } for pid=3310 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481256.567:0): avc: denied { getattr } for pid=3310 exe=/bin/bash
path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481260.180:0): avc: denied { search } for pid=3312 exe=/usr/bin/ssh-agent
name=home dev=hdb2 ino=1030177 scontext=user_u:user_r:user_ssh_agent_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481273.536:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86
name=.gnome2 dev=hdb2 ino=33285 scontext=user_u:user_r:user_xserver_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481273.536:0): avc: denied { read } for pid=3307 exe=/usr/X11R6/bin/XFree86
name=fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t
tcontext=user_u:object_r:user_home_t tclass=file
audit(1079481273.536:0): avc: denied { getattr } for pid=3307
exe=/usr/X11R6/bin/XFree86 path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hdb2
ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t
tclass=file
audit(1079481275.105:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys
dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t
tclass=dir
audit(1079481275.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam
path=/tmp/.fam_socket scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.173:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam
capability=0 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079481275.175:0): avc: denied { write } for pid=3335
exe=/usr/libexec/gnome-settings-daemon name=.famjOWPcN dev=hdb2 ino=278074
scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t
tclass=sock_file
audit(1079481275.175:0): avc: denied { connectto } for pid=3335
exe=/usr/libexec/gnome-settings-daemon path=/tmp/.famjOWPcN scontext=user_u:user_r:user_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.178:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam
path=/tmp/.famjOWPcN scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.180:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mtab
dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481275.180:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/etc/mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t
tclass=lnk_file
audit(1079481275.181:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342
dev= ino=219021314 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=dir
audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481275.181:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481275.276:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/usr/share/mime-info/gnome-vfs.keys dev=hdb2 ino=229748
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home
dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim
dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam
name=.gnome dev=hdb2 ino=2224863 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481275.729:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim/.gnome/mime-info dev=hdb2 ino=1112366
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t
tclass=dir
audit(1079481275.730:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam
name=mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481275.766:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim/.gnome/mime-info/user.mime dev=hdb2 ino=1111959
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t
tclass=file
audit(1079481279.834:0): avc: denied { write } for pid=3366 exe=/usr/bin/magicdev
name=fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
audit(1079481279.835:0): avc: denied { ioctl } for pid=3366 exe=/usr/bin/magicdev
path=/dev/fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t
tclass=lnk_file
audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481282.526:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481286.686:0): avc: denied { use } for pid=3416 exe=/sbin/pam_timestamp_check
path=/dev/tty2 dev=hdb2 ino=71750 scontext=user_u:user_r:pam_t
tcontext=system_u:system_r:local_login_t tclass=fd
audit(1079481286.688:0): avc: denied { sys_tty_config } for pid=3416
exe=/sbin/pam_timestamp_check capability=26 scontext=user_u:user_r:pam_t
tcontext=user_u:user_r:pam_t tclass=capability
audit(1079481292.262:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481300.966:0): avc: denied { read } for pid=3425 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481305.741:0): avc: denied { setattr } for pid=3433
exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hdb2 ino=2175537
scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
audit(1079481306.919:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam
capability=0 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079481306.930:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=jim
dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481318.752:0): avc: denied { read } for pid=3439 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481318.753:0): avc: denied { getattr } for pid=3439 exe=/bin/bash
path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home
dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim
dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079482042.883:0): avc: denied { search } for pid=3501 exe=/bin/su name=root
dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
audit(1079482042.898:0): avc: denied { write } for pid=3501 exe=/bin/su name=root
dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
audit(1079482042.898:0): avc: denied { add_name } for pid=3501 exe=/bin/su
name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=dir
audit(1079482042.898:0): avc: denied { create } for pid=3501 exe=/bin/su
name=.xauthtZDJwx scontext=user_u:user_r:user_su_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
audit(1079482042.923:0): avc: denied { setattr } for pid=3501 exe=/bin/su
name=.xauthtZDJwx dev=hdb2 ino=360078 scontext=user_u:user_r:user_su_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
audit(1079482500.573:0): avc: denied { read } for pid=3539 exe=/bin/bash name=mtab
dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t
tclass=lnk_file
audit(1079482629.580:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342
dev= ino=219021314 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=dir
audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts
dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079482650.058:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys
dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t
tclass=dir
audit(1079482650.109:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam
capability=0 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079482650.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam
path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.115:0): avc: denied { write } for pid=3554 exe=/usr/bin/kdeinit
name=.famrrGRJP dev=hdb2 ino=278715 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file
audit(1079482650.115:0): avc: denied { connectto } for pid=3554 exe=/usr/bin/kdeinit
path=/tmp/.famrrGRJP scontext=user_u:user_r:user_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.116:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam
path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t
tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.287:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit
path=/var/tmp/kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482650.288:0): avc: denied { search } for pid=3555 exe=/usr/bin/kdeinit
name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482650.334:0): avc: denied { read } for pid=3555 exe=/usr/bin/kdeinit
name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482650.335:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit
path=/var/tmp/kdecache-jim/ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482651.439:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit
name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482651.441:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit
name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482651.441:0): avc: denied { add_name } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t
tclass=dir
audit(1079482651.441:0): avc: denied { create } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t
tclass=file
audit(1079482651.442:0): avc: denied { setattr } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.017:0): avc: denied { remove_name } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1079482660.017:0): avc: denied { rename } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.017:0): avc: denied { unlink } for pid=3555 exe=/usr/bin/kdeinit
name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.024:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit
name=ksycocastamp dev=hdb2 ino=376977 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:file_t tclass=file
audit(1079482660.175:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.kde
dev=hdb2 ino=737042 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079482660.176:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/home/jim/.kde/share/servicetypes dev=hdb2 ino=801647
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t
tclass=dir
audit(1079482660.177:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam
name=servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079482660.179:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/usr/share/servicetypes/kcomprfilter.desktop dev=hdb2 ino=196659
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file
audit(1079482660.787:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam
path=/usr/share/applications/redhat-web.desktop dev=hdb2 ino=1717246
scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=lnk_file
audit(1079482810.277:0): avc: denied { setattr } for pid=3567
exe=/usr/bin/gnome-volume-control name=registry.xml dev=hdb2 ino=2175537
scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
4:01 a.m.
New subject: dmesg errors (sgi_fam)
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
You should turn off sgi_fam
chkconfig sgi_fam off
This is generating most of the errors and will be turned off by default
in Test2.
Its not clear here whether fam will be turned off just for test2 while issues
are sorted out, or permanently including the FC2 final release.
If the latter then I'd be concerned about losing the file monitoring
functionality and I suspect a lot of users will complain that the file
browsers are broken and not updating correctly.
I've googled for an explanation of what the problem is with fam/selinux but
didn't come up with anything. I'd be curious to know what it is. Or even if
there's a new replacement which supercedes it.
Cheers,
Martin.
5:24 a.m.
New subject: dmesg errors (sgi_fam)
On Wed, 17 Mar 2004 21:01, Martin Ebourne <lists(a)ebourne.me.uk> wrote:
I've googled for an explanation of what the problem is with
fam/selinux but
didn't come up with anything. I'd be curious to know what it is. Or even if
there's a new replacement which supercedes it.
The problem is that famd is an application which accepts network connections,
wants read access to every file that any user can access. If you want to
have a secure system you don't want many such programs.
Remote famd operation is only for non-polling notifications over the network.
For most people having polling for file status changes on NFS will probably
be OK.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
5:39 a.m.
New subject: dmesg errors (sgi_fam)
Russell Coker <russell(a)coker.com.au> wrote:
The problem is that famd is an application which accepts network
connections,
wants read access to every file that any user can access. If you want to
have a secure system you don't want many such programs.
Surely it doesn't need access to the file contents - just to stat them, so
access to directories (still a security issue, I agree).
Remote famd operation is only for non-polling notifications over the
network.
For most people having polling for file status changes on NFS will probably
be OK.
I agree with disabling remote famd, but the original post appeared to be
disabling the daemon entirely, which I expect would prevent local file
monitoring too. Or do gnome/kde use dnotify directly?
Also, I thought RH/Fedora already shipped with remote famd disabled.
Cheers,
Martin.
7:24 a.m.
New subject: dmesg errors (sgi_fam)
On Wed, 17 Mar 2004 22:39, Martin Ebourne <lists(a)ebourne.me.uk> wrote:
Russell Coker <russell(a)coker.com.au> wrote:
> The problem is that famd is an application which accepts network
> connections, wants read access to every file that any user can access.
> If you want to have a secure system you don't want many such programs.
Surely it doesn't need access to the file contents - just to stat them, so
access to directories (still a security issue, I agree).
Giving access to file names is still a security issue. If it can run with
only { getattr search } access to directories and getattr access to files
then it won't be so bad. Of course being able to remotely monitor what files
someone is writing too also provides some issues (and for some files the
names are predictable).
> Remote famd operation is only for non-polling notifications over
the
> network. For most people having polling for file status changes on NFS
> will probably be OK.
I agree with disabling remote famd, but the original post appeared to be
disabling the daemon entirely, which I expect would prevent local file
monitoring too. Or do gnome/kde use dnotify directly?
I don't think that the command Dan suggested would turn it off entirely. The
libfam functionality linked into applications should still do everything you
want locally.
Also, I thought RH/Fedora already shipped with remote famd disabled.
Not last time I checked.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
10:01 p.m.
New subject: dmesg errors (sgi_fam)
Russell Coker wrote:
On Wed, 17 Mar 2004 22:39, Martin Ebourne <lists(a)ebourne.me.uk>
wrote:
>Russell Coker <russell(a)coker.com.au> wrote:
>
>
>>The problem is that famd is an application which accepts network
>>connections, wants read access to every file that any user can access.
>>If you want to have a secure system you don't want many such programs.
>>
>>
>Surely it doesn't need access to the file contents - just to stat them, so
>access to directories (still a security issue, I agree).
>
>
Giving access to file names is still a security issue. If it can run with
only { getattr search } access to directories and getattr access to files
then it won't be so bad. Of course being able to remotely monitor what files
someone is writing too also provides some issues (and for some files the
names are predictable).
We have turned it off for test2 and intend to have a replacement.
Basically we need one that runs in user space and has access to all
files that
the user has access to. Currently famd does stuff with portmapper and still
requires a network communication even if it is only allowing localhost.
In FC1 it was locked down to localhost.
We realize the that fam provides a needed feature, and are working to
replace it.
Dan
>>Remote famd operation is only for non-polling notifications over the
>>network. For most people having polling for file status changes on NFS
>>will probably be OK.
>>
>>
>I agree with disabling remote famd, but the original post appeared to be
>disabling the daemon entirely, which I expect would prevent local file
>monitoring too. Or do gnome/kde use dnotify directly?
>
>
I don't think that the command Dan suggested would turn it off entirely. The
libfam functionality linked into applications should still do everything you
want locally.
>Also, I thought RH/Fedora already shipped with remote famd disabled.
>
>
Not last time I checked.
7352
days inactive
7353
days old
selinux@lists.fedoraproject.org
6 comments
4 participants
participants (4)
-
Daniel J Walsh -
Jim Cornette -
Martin Ebourne -
Russell Coker