[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: strange AVC messages with kernel 2.6.6-1.427



On Sat, 12 Jun 2004 21:38:37 +1000, Russell Coker said:
> With the latest kernel I am getting some strange AVC messages I didn't get 
> with 2.6.5-1.358.
> 
> audit(1087039822.666:0): avc:  denied  { getattr } for  pid=5262 
> exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t 
> tcontext=system_u:object_r:root_t tclass=chr_file
> audit(1087039822.684:0): avc:  denied  { getattr } for  pid=5262 
> exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t 
> tcontext=system_u:object_r:root_t tclass=chr_file
> 
> There is no device node 16381 on the file system.  Running the same command 
> repeatedly gives similar messages with different inode numbers, so I guess 
> it's some sort of temporary file.  The machine is in enforcing mode and 
> nothing that might want to create a root_t chr_file has permission to do 
> so...

I've been seeing this (avc points at a file that 'find -inum' can't find) with
some recent 2.6.6 and 2.6.7-rc -mm kernels as well.  I suspect (but haven't
verified yet, I'll have to remember to boot single user and check) that the
operation in question is referencing a file in /var (for instance), and that
ino=16381 is in fact the inode *for the directory 'var' in /* and that while
crossing over the mount point it's getting confused about the difference
between the root inode of the mounted filesystem and the inode of the directory
it's mounted on....

I'll try to remember to double-check this when I next reboot the laptop and
follow up on it tomorrow...

Attachment: pgp00004.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]