Deepak Shrestha wrote:
On 7/28/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2006-07-28 at 10:48 +0100, Paul Howarth wrote:
> Deepak Shrestha wrote:
> >> Look in /var/log/messages, or if you're running the audit daemon
> >> (default on in FC4), /var/log/audit/audit.log, for lines containing
> >> "type=AVC".
> >>
> >> Paul.
> >>
> >
> > I don't have audit directory or audit.log but issuing
> > # cat /var/log/messages | grep AVC
> >
> > gives me blank result
>
> It's possible that any messages may have been rotated out. Try:
>
> $ fgrep type=AVC /var/log/messages*
>
> If there's nothing there then it's likely that your issue was not
> SELinux-related.
I think the type=AVC prefixes are only added if running auditd (in which
case you'd be checking /var/log/audit/audit.log*). Otherwise, you'd
just get the raw audit message from the kernel in /var/log/messages.
The safest thing is to just look for "avc:"; that will be present
regardless.
--
Stephen Smalley
National Security Agency
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
looking for "avc:", I found lots of entries with "denied" in
/var/log/messages
the entry is rather long so posting only the fragment (hope this will
still make the point). Its is something like this
==============
Jul 24 23:39:53 webcomp kernel: audit(1153755580.824:2): avc: denied
{ getattr } for pid=1153 comm="mount" name="kcore" dev=proc
ino=-268435435 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
Jul 24 23:39:54 webcomp kernel: audit(1153755580.856:3): avc: denied
{ getattr } for pid=1153 comm="mount" name="kcore" dev=proc
ino=-268435435 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
Jul 25 11:45:16 webcomp kernel: audit(1153799116.610:8): avc: denied
{ use } for pid=2467 comm="bluez-pin" name="[7581]" dev=pipefs
ino=7581 scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
Jul 25 11:45:16 webcomp kernel: audit(1153799116.610:9): avc: denied
{ use } for pid=2467 comm="bluez-pin" name="[7581]" dev=pipefs
ino=7581 scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
Jul 25 14:00:21 webcomp kernel: audit(1153807221.327:4): avc: denied
{ use } for pid=2291 comm="bluez-pin" name="[7243]" dev=pipefs
ino=7243 scontext=user_u:system_r:bluetooth_helper_t:s0
......
......
......
......
..... and so on
==============
What does this mean??? and most importantly why? and what is the solution?
These are probably not the relevant denials. Try to find ones from
around the time you were trying the RPM install. There should be a log
entry corresponding to when you did the "setenforce 0" (search for
"setenforce" in /var/log/messages), and the denials of interest should
be in the minutes preceding that.
Paul.
