[DSE-Dev] /selinux getattr messages
Martin Orr
martin at martinorr.name
Sat Jun 23 11:39:11 UTC 2007
I am using the targeted policy in permissive mode. During boot I get the
following messages:
audit(1182511335.252:36): avc: denied { getattr } for pid=1249
comm="mount" name="/" dev=selinuxfs ino=318
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1182511346.457:47): avc: denied { getattr } for pid=1503
comm="swapon" name="/" dev=selinuxfs ino=318
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1182511347.644:48): avc: denied { getattr } for pid=1570
comm="iptables" name="/" dev=selinuxfs ino=318
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
These come because libblkid and iptables are both linked against libselinux,
which locates the selinux mount point in a constructor. When this was
introduced in libselinux, the selinux_get_fs_mount interface was added to
the reference policy to allow this. So mount.te should gain
selinux_get_fs_mount(mount_t)
and fstools.te should gain
selinux_get_fs_mount(fsadm_t)
So far as I can see iptables has no need to be linked against libselinux,
but I will check further.
--
Martin Orr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20070623/bbbe8194/attachment.pgp
More information about the SELinux-devel
mailing list