How do I figure out on what file dac_override is attempted?
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 20 19:23:25 UTC 2010
On 01/20/2010 11:15 AM, Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Wed, 2010-01-20 at 10:12 -0500, Daniel J Walsh wrote:
>>> On 01/20/2010 08:51 AM, Stephen Smalley wrote:
>>>> On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote:
>>>>> Stephen Smalley:
>>>>>> To get object information, you need to enable
>>>>>> syscall auditing, and add a trivial syscall filter to turn on
>>>>>> pathname
>>>>>> collection by the audit subsystem.
>>>>> Thanks for that tip (all of you who gave it)! I now know it is
>>>>> /dev/fb that plymouthd can't access. The audit record also told me it
>>>>> was owned by a regular user and mode rw-------. So now it makes
>>>>> sense. A root process would need dac_override to open that file.
>>>> That tip really ought to get captured in the Fedora SELinux FAQ or
>>>> Guide. Dan?
>>>>
>>> You mean turning on full auditing if you have a suspicious DAC_OVERRIDE?
>>
>> More generally, if you want full pathname information for an AVC denial
>> and you aren't getting it in the AVC message, you can get it by adding a
>> trivial audit syscall filter and re-trying the operation, where adding a
>> trivial audit syscall filter can be done by any of the three examples
>> given by Steve Grubb, Eric, or myself - take your pick. It can be done
>> temporarily just by running auditctl or on every boot by adding the
>> entry to /etc/audit/audit.rules.
>>
>
> Can we add it to selinuxproject.org instead (or in addition to, I guess?)
Here is my blog on it.
http://danwalsh.livejournal.com/34903.html
More information about the selinux
mailing list