On Sun, 2007-07-22 at 00:13 -0400, Tom Horsley wrote:
> Updated my system with new kernel, and nothing horrible
> has happened. Everything seems to work perfectly :-).
I'm tempted to say "me too," but I'm not sure. Things appear fine
(graphics, sound, network, etc.), though the first time I plugged a USB
flashdrive I got a SELinux alert, but I wasn't prevented from doing
anything. I don't know if it was co-incidental, directly related to
plugging in the drive, or even important, but the message wasn't
repeated after dismounting, unplugging, waiting quite some time, and
replugging the drive in. Removeable drive options were set to
auto-mount and auto-browse newly connected devices, at the time.
This is what I saw in the report, below, perhaps someone can illuminate
the situation. I'm curious what the local ID is based on.
------------------------ start copy of report ------------------------
Summary:
SELinux is preventing /sbin/pam_console_apply (pam_console_t) "read" to / (boot_t).
Detailed Description:
SELinux denied access requested by /sbin/pam_console_apply. It is not
expected that this access is required by /sbin/pam_console_apply and
this access may signal an intrusion attempt. It is also possible that
the specific version or configuration of the application is causing it
to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /, restorecon -v / If this
does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access -
see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against
this package.
Additional Information
Source Context: system_u:system_r:pam_console_t:SystemLow-SystemHigh
Target Context: system_u:object_r:boot_t
Target Objects: / [ dir ]
Affected RPM Packages: pam-0.99.7.1-5.1.fc7 [application]filesystem-2.4.6-1.fc7 [target]
Policy RPM: selinux-policy-2.6.4-26.fc7
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.catchall_file
Host Name: bigblack
Platform: Linux bigblack 2.6.22.1-27.fc7 #1 SMP Tue Jul 17 17:13:26 EDT 2007 i686 i686
Alert Count: 153
First Seen: Fri 22 Jun 2007 18:22:34 CST
Last Seen: Sun 22 Jul 2007 18:16:32 CST
Local ID: cff890f3-609b-42c2-a807-71ed31de268c
Line Numbers:
Raw Audit Messages:
avc: denied { read } for comm="pam_console_app" dev=sda1 egid=0 euid=0 exe="/sbin/pam_console_apply" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3376 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:boot_t:s0 tty=(none) uid=0
------------------------- end copy of report -------------------------
[root@bigblack log]# lspci
00:00.0 Host bridge: Silicon Integrated Systems [SiS] 650/M650 Host (rev 01)
00:01.0 PCI bridge: Silicon Integrated Systems [SiS] Virtual PCI-to-PCI bridge (AGP)
00:02.0 ISA bridge: Silicon Integrated Systems [SiS] SiS961 [MuTIOL Media IO]
00:02.1 SMBus: Silicon Integrated Systems [SiS] SiS961/2 SMBus Controller
00:02.2 USB Controller: Silicon Integrated Systems [SiS] USB 1.0 Controller (rev 07)
00:02.3 USB Controller: Silicon Integrated Systems [SiS] USB 1.0 Controller (rev 07)
00:02.5 IDE interface: Silicon Integrated Systems [SiS] 5513 [IDE] (rev d0)
00:02.7 Multimedia audio controller: Silicon Integrated Systems [SiS] AC'97 Sound Controller (rev a0)
00:03.0 Ethernet controller: Silicon Integrated Systems [SiS] SiS900 PCI Fast Ethernet (rev 90)
01:00.0 VGA compatible controller: nVidia Corporation NV25 [GeForce4 Ti 4200] (rev a3)
--
[tim@bigblack ~]$ uname -ipr
2.6.22.1-27.fc7 i686 i386
Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
