How do I figure out on what file dac_override is attempted?

Joshua Brindle method at manicmethod.com
Wed Jan 20 16:15:37 UTC 2010


Stephen Smalley wrote:
> On Wed, 2010-01-20 at 10:12 -0500, Daniel J Walsh wrote:
>> On 01/20/2010 08:51 AM, Stephen Smalley wrote:
>>> On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote:
>>>> Stephen Smalley:
>>>>> To get object information, you need to enable
>>>>> syscall auditing, and add a trivial syscall filter to turn on pathname
>>>>> collection by the audit subsystem.
>>>> Thanks for that tip (all of you who gave it)!  I now know it is
>>>> /dev/fb that plymouthd can't access.  The audit record also told me it
>>>> was owned by a regular user and mode rw-------.  So now it makes
>>>> sense.  A root process would need dac_override to open that file.
>>> That tip really ought to get captured in the Fedora SELinux FAQ or
>>> Guide.  Dan?
>>>
>> You mean turning on full auditing if you have a suspicious DAC_OVERRIDE?
>
> More generally, if you want full pathname information for an AVC denial
> and you aren't getting it in the AVC message, you can get it by adding a
> trivial audit syscall filter and re-trying the operation, where adding a
> trivial audit syscall filter can be done by any of the three examples
> given by Steve Grubb, Eric, or myself - take your pick.  It can be done
> temporarily just by running auditctl or on every boot by adding the
> entry to /etc/audit/audit.rules.
>

Can we add it to selinuxproject.org instead (or in addition to, I guess?)


More information about the selinux mailing list