[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another error message in current test kernel



On Wed, 2005-11-16 at 17:12 -0500, Steve Grubb wrote:
> On Wednesday 16 November 2005 15:04, Stephen Smalley wrote:
> > > Nov 16 09:21:00 localhost kernel: inode_doinit_with_dentry:  
> > > context_to_sid(root:object_r:fileop_exec_t:s0) returned 22 for dev=sda7
> > > ino=3761512
> >
> > That just means that you previously had the selinux testsuite policy
> > loaded, and then later removed it, thereby invalidating that type (and
> > thus any incore inode labels that contained it).
> 
> Correct...how would a normal user know that? Is this an error, warning, or 
> info? Does this message need to be worded more ominously? What is the fix for 
> this?

The message could be clearer, particularly for the common case (e.g.
SELinux:  inode %ld on dev %s has invalid security context %s, treating
as unlabeled.)  It is presently a printk in
hooks.c:inode_doinit_with_dentry; could be converted to using audit_log.
There are a number of printks performed by hooks.c that are potentially
candidates for using the audit system instead.

The fix for the reported error is to relabel the inode to a valid
security context.  Until that happens, SELinux treats it as having the
unlabeled context and thus makes it inaccessible to unprivileged
confined processes.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]