[DSE-Dev] /selinux getattr messages

Martin Orr martin at martinorr.name
Sat Jun 23 11:39:11 UTC 2007

I am using the targeted policy in permissive mode.  During boot I get the
following messages:
audit(1182511335.252:36): avc:  denied  { getattr } for  pid=1249
comm="mount" name="/" dev=selinuxfs ino=318
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1182511346.457:47): avc:  denied  { getattr } for  pid=1503
comm="swapon" name="/" dev=selinuxfs ino=318
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1182511347.644:48): avc:  denied  { getattr } for  pid=1570
comm="iptables" name="/" dev=selinuxfs ino=318
tcontext=system_u:object_r:security_t:s0 tclass=filesystem

These come because libblkid and iptables are both linked against libselinux,
which locates the selinux mount point in a constructor.  When this was
introduced in libselinux, the selinux_get_fs_mount interface was added to
the reference policy to allow this.  So mount.te should gain
and fstools.te should gain

So far as I can see iptables has no need to be linked against libselinux,
but I will check further.

Martin Orr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20070623/bbbe8194/attachment.pgp 

More information about the SELinux-devel mailing list