Another error message in current test kernel
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 17 14:03:58 UTC 2005
On Wed, 2005-11-16 at 17:12 -0500, Steve Grubb wrote:
> On Wednesday 16 November 2005 15:04, Stephen Smalley wrote:
> > > Nov 16 09:21:00 localhost kernel: inode_doinit_with_dentry:
> > > context_to_sid(root:object_r:fileop_exec_t:s0) returned 22 for dev=sda7
> > > ino=3761512
> >
> > That just means that you previously had the selinux testsuite policy
> > loaded, and then later removed it, thereby invalidating that type (and
> > thus any incore inode labels that contained it).
>
> Correct...how would a normal user know that? Is this an error, warning, or
> info? Does this message need to be worded more ominously? What is the fix for
> this?
The message could be clearer, particularly for the common case (e.g.
SELinux: inode %ld on dev %s has invalid security context %s, treating
as unlabeled.) It is presently a printk in
hooks.c:inode_doinit_with_dentry; could be converted to using audit_log.
There are a number of printks performed by hooks.c that are potentially
candidates for using the audit system instead.
The fix for the reported error is to relabel the inode to a valid
security context. Until that happens, SELinux treats it as having the
unlabeled context and thus makes it inaccessible to unprivileged
confined processes.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list