On Sat, 12 Jun 2004 21:38:37 +1000, Russell Coker said:
> With the latest kernel I am getting some strange AVC messages I didn't get
> with 2.6.5-1.358.
>
> audit(1087039822.666:0): avc: denied { getattr } for pid=5262
> exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t
> tcontext=system_u:object_r:root_t tclass=chr_file
> audit(1087039822.684:0): avc: denied { getattr } for pid=5262
> exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t
> tcontext=system_u:object_r:root_t tclass=chr_file
>
> There is no device node 16381 on the file system. Running the same command
> repeatedly gives similar messages with different inode numbers, so I guess
> it's some sort of temporary file. The machine is in enforcing mode and
> nothing that might want to create a root_t chr_file has permission to do
> so...
I've been seeing this (avc points at a file that 'find -inum' can't find) with
some recent 2.6.6 and 2.6.7-rc -mm kernels as well. I suspect (but haven't
verified yet, I'll have to remember to boot single user and check) that the
operation in question is referencing a file in /var (for instance), and that
ino=16381 is in fact the inode *for the directory 'var' in /* and that while
crossing over the mount point it's getting confused about the difference
between the root inode of the mounted filesystem and the inode of the directory
it's mounted on....
I'll try to remember to double-check this when I next reboot the laptop and
follow up on it tomorrow...
Attachment:
pgpZgJca7hus3.pgp
Description: PGP signature
