No Denial
Browder, Tom
Tom.Browder at fwb.srs.com
Mon Dec 20 21:39:58 UTC 2004
> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com
> [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of
> Stephen Smalley
> Unless your process has uid 0, then the latter command would
> be prevented by ordinary Linux DAC and never reaches the
> SELinux permission checks. Hence, you wouldn't see an audit
> message for it. The former command would be allowed by Linux
> DAC and thus reaches the SELinux checks (and audit).
Thanks, Stephen.
Actually, I did a 'make load', rotated my logs to clear them out, and
then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a
long denial log message (get_attr).
Tom Browder
More information about the selinux
mailing list