No Denial

Browder, Tom Tom.Browder at
Mon Dec 20 21:39:58 UTC 2004

> -----Original Message-----
> From: fedora-selinux-list-bounces at 
> [mailto:fedora-selinux-list-bounces at] On Behalf Of 
> Stephen Smalley
> Unless your process has uid 0, then the latter command would 
> be prevented by ordinary Linux DAC and never reaches the 
> SELinux permission checks.  Hence, you wouldn't see an audit 
> message for it.  The former command would be allowed by Linux 
> DAC and thus reaches the SELinux checks (and audit).

Thanks, Stephen.

Actually, I did a 'make load', rotated my logs to clear them out, and
then did 'mv /etc/shadow /etc/' as a normal user and got a
long denial log message (get_attr). 

Tom Browder

More information about the fedora-selinux-list mailing list