-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Stephen Smalley Unless your process has uid 0, then the latter command would be prevented by ordinary Linux DAC and never reaches the SELinux permission checks. Hence, you wouldn't see an audit message for it. The former command would be allowed by Linux DAC and thus reaches the SELinux checks (and audit).
Thanks, Stephen.
Actually, I did a 'make load', rotated my logs to clear them out, and then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a long denial log message (get_attr).
Tom Browder
On Mon, 2004-12-20 at 16:39, Browder, Tom wrote:
Actually, I did a 'make load', rotated my logs to clear them out, and then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a long denial log message (get_attr).
Yes, but that is just for the stat(2) attempt (stat => getattr), not for the rename(2) call, which would never reach the SELinux checks unless you first pass the Linux DAC checks.
selinux@lists.fedoraproject.org
-
Browder, Tom -
Stephen Smalley