On Mon, 2018-05-14 at 11:50 -0700, Matthew Garrett wrote: > On Mon, May 14, 2018 at 10:36 AM Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > > > On Mon, May 14, 2018 at 10:35 AM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> > > wrote: > > > > # echo . > /sys/kernel/security/integrity/evm/evm_xattrs > > > > bash: echo: write error: Operation not permitted > > > > I'm still seeing this message. > > > Looking into it. > > I can't reproduce this - the only way you should be getting EPERM is if the > list is already locked or if you don't have CAP_SYS_ADMIN. The call to notify_change() calls security_inode_setattr(), which is failing, because there is no security.evm xattr. It's failing with -EPERM. Mimi
