The messages below occured while booting with the latest strict policy in enforcing mode. One of the things that is not working is the screensaver. The first message indicates that the problem with the screensaver may be related to context of files in /tmp created by xdm.
Jul 10 03:13:22 new2 kernel: audit(1089443602.916:0): avc: denied { search } for pid=3288 exe=/usr/X11R6/bin/xscreensaver name=.X11-unix dev=hda2 ino=1840550 scontext=richard:staff_r:staff_screensaver_t tcontext=system_u:object_r:xdm_tmp_t tclass=dir
The additional messages below may or may not be related.
Jul 10 03:13:24 new2 kernel: audit(1089443604.337:0): avc: denied { create } for pid=3161 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket
the message above repeates 5 times then:
Jul 10 03:13:30 new2 kernel: audit(1089443610.307:0): avc: denied { getattr } for pid=3390 exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:31 new2 kernel: audit(1089443611.639:0): avc: denied { getattr } for pid=3401 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:31 new2 kernel: audit(1089443611.788:0): avc: denied { getattr } for pid=3402 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:36 new2 kernel: audit(1089443616.055:0): avc: denied { create } for pid=3161 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jul 10 03:15:09 new2 kernel: audit(1089443709.073:0): avc: denied { create } for pid=3161 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket
On Sat, 2004-07-10 at 03:47 -0400, Richard Hally wrote:
Jul 10 03:13:30 new2 kernel: audit(1089443610.307:0): avc: denied { getattr } for pid=3390 exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:31 new2 kernel: audit(1089443611.639:0): avc: denied { getattr } for pid=3401 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:31 new2 kernel: audit(1089443611.788:0): avc: denied { getattr } for pid=3402 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
You can ignore these for now. They're a symptom of /initrd not being unmounted. I spent an hour or two trying to figure that out a while back and gave up :/
Richard Hally wrote:
The messages below occured while booting with the latest strict policy in enforcing mode. One of the things that is not working is the screensaver. The first message indicates that the problem with the screensaver may be related to context of files in /tmp created by xdm.
Jul 10 03:13:22 new2 kernel: audit(1089443602.916:0): avc: denied { search } for pid=3288 exe=/usr/X11R6/bin/xscreensaver name=.X11-unix dev=hda2 ino=1840550 scontext=richard:staff_r:staff_screensaver_t tcontext=system_u:object_r:xdm_tmp_t tclass=dir
The additional messages below may or may not be related.
Jul 10 03:13:24 new2 kernel: audit(1089443604.337:0): avc: denied { create } for pid=3161 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket
These should have been dontaudited. Are you running with enableaudit?
the message above repeates 5 times then:
Jul 10 03:13:30 new2 kernel: audit(1089443610.307:0): avc: denied { getattr } for pid=3390 exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:31 new2 kernel: audit(1089443611.639:0): avc: denied { getattr } for pid=3401 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:31 new2 kernel: audit(1089443611.788:0): avc: denied { getattr } for pid=3402 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jul 10 03:13:36 new2 kernel: audit(1089443616.055:0): avc: denied { create } for pid=3161 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jul 10 03:15:09 new2 kernel: audit(1089443709.073:0): avc: denied { create } for pid=3161 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket
/initrd should have been umounted at when the boot completes. we have to figure out why it is not umounted. The rest are being caused because of enableaudit I believe.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
Richard Hally wrote:
The messages below occured while booting with the latest strict policy in enforcing mode. One of the things that is not working is the screensaver. The first message indicates that the problem with the screensaver may be related to context of files in /tmp created by xdm.
Jul 10 03:13:22 new2 kernel: audit(1089443602.916:0): avc: denied { search } for pid=3288 exe=/usr/X11R6/bin/xscreensaver name=.X11-unix dev=hda2 ino=1840550 scontext=richard:staff_r:staff_screensaver_t tcontext=system_u:object_r:xdm_tmp_t tclass=dir
The additional messages below may or may not be related.
Jul 10 03:13:24 new2 kernel: audit(1089443604.337:0): avc: denied { create } for pid=3161 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket
These should have been dontaudited. Are you running with enableaudit?
There was a time when I did 'enableaudit' to get the avc denied messages for something else (Mozilla?). These were posted here just in case they were related. Richard Hally
selinux@lists.fedoraproject.org