tripwire reports major changes -- gcc or selinux or ...

[Marcin Struzak]

I am running FC3 with tripwire-2.3.1-20.fdr.1.1 (RPM), and all of a sudden, after months of successful "quite" or almost quiet bahvior, my nightly check reports over 6500 changes.  This is very unusual for an "overnight" situation, and so I am trying to figure out what caused it.  

I did an up2date on glibc (which triggered other packages, such as gcc, cpp, and libgcc), required to compile FrontPage extensions, and I also played with SE_Linux (set SELINUX from enforcing to permissive, with a reboot in between), but I see files from all kinds of packages as changed.  Most of the ones that should not change have a different inode number, different CRC32 and different MD5; sizes, times, etc, are the same.    

Any ideas as to what may have triggered such an avalanche of changes?  How possibly can the same file have a different CRC?  Does SE_Linux do something to actual files on the disk?  Maybe to the inode table?  I thought it maintained a database for the kernel to consult, and the actual files were independent.  

Thanks in advance.  

--Marcin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050711/0e3c21d0/attachment-0001.htm>