Another error message in current test kernel - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Another error message in current test kernel

Re: Another error message in...

Re: Auditing file access below a...

Steve Grubb

Wednesday, 16 November 2005 Wed, 16 Nov '05

12:56 p.m.

Hi, This was in syslog: Nov 16 09:21:00 localhost kernel: inode_doinit_with_dentry: context_to_sid(root:object_r:fileop_exec_t:s0) returned 22 for dev=sda7 ino=3761512 Ring any bells? -Steve

Reply

Show replies by date

Stephen Smalley

Wednesday, 16 November Wed, 16 Nov

2:04 p.m.

On Wed, 2005-11-16 at 13:56 -0500, Steve Grubb wrote:

Hi, This was in syslog: Nov 16 09:21:00 localhost kernel: inode_doinit_with_dentry: context_to_sid(root:object_r:fileop_exec_t:s0) returned 22 for dev=sda7 ino=3761512 Ring any bells?

That just means that you previously had the selinux testsuite policy loaded, and then later removed it, thereby invalidating that type (and thus any incore inode labels that contained it). -- Stephen Smalley National Security Agency

Reply

Steve Grubb

4:12 p.m.

On Wednesday 16 November 2005 15:04, Stephen Smalley wrote:

> Nov 16 09:21:00 localhost kernel: inode_doinit_with_dentry: > context_to_sid(root:object_r:fileop_exec_t:s0) returned 22 for dev=sda7 > ino=3761512 That just means that you previously had the selinux testsuite policy loaded, and then later removed it, thereby invalidating that type (and thus any incore inode labels that contained it).

Correct...how would a normal user know that? Is this an error, warning, or info? Does this message need to be worded more ominously? What is the fix for this? Thanks, -Steve

Reply

Stephen Smalley

Thursday, 17 November Thu, 17 Nov

8:03 a.m.

On Wed, 2005-11-16 at 17:12 -0500, Steve Grubb wrote:

On Wednesday 16 November 2005 15:04, Stephen Smalley wrote: > > Nov 16 09:21:00 localhost kernel: inode_doinit_with_dentry: > > context_to_sid(root:object_r:fileop_exec_t:s0) returned 22 for dev=sda7 > > ino=3761512 > > That just means that you previously had the selinux testsuite policy > loaded, and then later removed it, thereby invalidating that type (and > thus any incore inode labels that contained it). Correct...how would a normal user know that? Is this an error, warning, or info? Does this message need to be worded more ominously? What is the fix for this?

The message could be clearer, particularly for the common case (e.g. SELinux: inode %ld on dev %s has invalid security context %s, treating as unlabeled.) It is presently a printk in hooks.c:inode_doinit_with_dentry; could be converted to using audit_log. There are a number of printks performed by hooks.c that are potentially candidates for using the audit system instead. The fix for the reported error is to relabel the inode to a valid security context. Until that happens, SELinux treats it as having the unlabeled context and thus makes it inaccessible to unprivileged confined processes. -- Stephen Smalley National Security Agency

Reply

6974

days inactive

6975

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

3 comments

2 participants

tags (0)

participants (2)

Stephen Smalley
Steve Grubb