Bug 167580 - post_create: setxattr failed
Summary: post_create: setxattr failed
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Stephen Tweedie
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-09-05 21:11 UTC by Milan Kerslager
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-13 18:06:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Milan Kerslager 2005-09-05 21:11:28 UTC
I have a lot of these messages in my /var/log/messages from the kernel
(2.6.9-11.ELsmp on dual AMD Opteron 244 x86_64 machine):

post_create:  setxattr failed, rc=122 (dev=md1 ino=1320515)

It seems like only anoying messages according to:
http://mail.wirex.com/pipermail/linux-security-module/2005-July/6274.html

I'l try to use beta kernel too.

Comment 1 Stephen Tweedie 2005-09-13 18:06:37 UTC
This is a property of the existing SELinux implementation: the core VFS doesn't
ask SELinux to set up security contexts until after the filesystem itself has
created a new file.  So, it is possible for the file create to succeed but for
the initialisation of the SELinux label to fail; such files end up with a
default label, but the SELinux security policy deals with those labels to avoid
this being a security problem.

rc=122 indicates that the error here is EDQUOT, so the user has exceeded disk
quota between the initial file create and the setting of the SELinux attribute.

Future versions of Linux will not have this behaviour, but will set SELinux
attributes atomically and will fail the create if that cannot be done.  But this
will not be changed in RHEL-4, as that constitutes a significant change in the
semantics of the VFS layer.



Note You need to log in before you can comment on or make changes to this bug.