On Sun, 2007-07-22 at 00:13 -0400, Tom Horsley wrote: > Updated my system with new kernel, and nothing horrible > has happened. Everything seems to work perfectly :-). I'm tempted to say "me too," but I'm not sure. Things appear fine (graphics, sound, network, etc.), though the first time I plugged a USB flashdrive I got a SELinux alert, but I wasn't prevented from doing anything. I don't know if it was co-incidental, directly related to plugging in the drive, or even important, but the message wasn't repeated after dismounting, unplugging, waiting quite some time, and replugging the drive in. Removeable drive options were set to auto-mount and auto-browse newly connected devices, at the time. This is what I saw in the report, below, perhaps someone can illuminate the situation. I'm curious what the local ID is based on. ------------------------ start copy of report ------------------------ Summary: SELinux is preventing /sbin/pam_console_apply (pam_console_t) "read" to / (boot_t). Detailed Description: SELinux denied access requested by /sbin/pam_console_apply. It is not expected that this access is required by /sbin/pam_console_apply and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:pam_console_t:SystemLow-SystemHigh Target Context: system_u:object_r:boot_t Target Objects: / [ dir ] Affected RPM Packages: pam-0.99.7.1-5.1.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM: selinux-policy-2.6.4-26.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: bigblack Platform: Linux bigblack 2.6.22.1-27.fc7 #1 SMP Tue Jul 17 17:13:26 EDT 2007 i686 i686 Alert Count: 153 First Seen: Fri 22 Jun 2007 18:22:34 CST Last Seen: Sun 22 Jul 2007 18:16:32 CST Local ID: cff890f3-609b-42c2-a807-71ed31de268c Line Numbers: Raw Audit Messages: avc: denied { read } for comm="pam_console_app" dev=sda1 egid=0 euid=0 exe="/sbin/pam_console_apply" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3376 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:boot_t:s0 tty=(none) uid=0 ------------------------- end copy of report ------------------------- [root@bigblack log]# lspci 00:00.0 Host bridge: Silicon Integrated Systems [SiS] 650/M650 Host (rev 01) 00:01.0 PCI bridge: Silicon Integrated Systems [SiS] Virtual PCI-to-PCI bridge (AGP) 00:02.0 ISA bridge: Silicon Integrated Systems [SiS] SiS961 [MuTIOL Media IO] 00:02.1 SMBus: Silicon Integrated Systems [SiS] SiS961/2 SMBus Controller 00:02.2 USB Controller: Silicon Integrated Systems [SiS] USB 1.0 Controller (rev 07) 00:02.3 USB Controller: Silicon Integrated Systems [SiS] USB 1.0 Controller (rev 07) 00:02.5 IDE interface: Silicon Integrated Systems [SiS] 5513 [IDE] (rev d0) 00:02.7 Multimedia audio controller: Silicon Integrated Systems [SiS] AC'97 Sound Controller (rev a0) 00:03.0 Ethernet controller: Silicon Integrated Systems [SiS] SiS900 PCI Fast Ethernet (rev 90) 01:00.0 VGA compatible controller: nVidia Corporation NV25 [GeForce4 Ti 4200] (rev a3) -- [tim@bigblack ~]$ uname -ipr 2.6.22.1-27.fc7 i686 i386 Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7. Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.