How do I figure out on what file dac_override is attempted?

Daniel J Walsh dwalsh at redhat.com
Wed Jan 20 15:12:56 UTC 2010


On 01/20/2010 08:51 AM, Stephen Smalley wrote:
> On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote:
>> Stephen Smalley:
>>> To get object information, you need to enable
>>> syscall auditing, and add a trivial syscall filter to turn on pathname
>>> collection by the audit subsystem.
>>
>> Thanks for that tip (all of you who gave it)!  I now know it is
>> /dev/fb that plymouthd can't access.  The audit record also told me it
>> was owned by a regular user and mode rw-------.  So now it makes
>> sense.  A root process would need dac_override to open that file.
> 
> That tip really ought to get captured in the Fedora SELinux FAQ or
> Guide.  Dan?
> 

You mean turning on full auditing if you have a suspicious DAC_OVERRIDE?


More information about the selinux mailing list