Help with avc's on /init
Ruth Ivimey-Cook
Ruth.Ivimey-Cook at ivimey.org
Wed Jul 13 14:23:12 UTC 2005
Stephen,
> > Jul 13 14:35:25 filestore kernel: [4294782.219000]
> > audit(1121261725.182:0): avc: denied { use } for path=/init
> > dev=rootfs ino=42 scontext=system_u:system_r:i18n_input_t
> > tcontext=system_u:system_r:kernel_t tclass=fd
>
> This is a file from the "rootfs", i.e. the in-memory
> filesystem exploded from the initramfs image by the kernel
> during initialization. It isn't an on-disk file. The kernel
> is improperly leaving a descriptor to it open when it
> executes /sbin/init, and this is then being inherited by all
> processes. SELinux rechecks access to open descriptors
> during execve, and if in enforcing mode, should be closing
> the descriptor and re-opening it to the null device due to
> the denial. Normally this stops the flow of such audit
> messages early on, as it is no longer inherited after that point.
>
> > I'm not quite sure what effect the denials are having, but
> the system
> > is not very stable at present.
>
> That particular denial should have no impact on stability.
Thanks. I wondered if it was in initramfs, but it's hard to check. Is there
anything I can do to shut it up?
Ruth
More information about the selinux
mailing list