No Denial

[Browder, Tom]

> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com 
> [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of 
> Stephen Smalley
> Unless your process has uid 0, then the latter command would 
> be prevented by ordinary Linux DAC and never reaches the 
> SELinux permission checks.  Hence, you wouldn't see an audit 
> message for it.  The former command would be allowed by Linux 
> DAC and thus reaches the SELinux checks (and audit).

Thanks, Stephen.

Actually, I did a 'make load', rotated my logs to clear them out, and
then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a
long denial log message (get_attr). 

Tom Browder