No Denial

Stephen Smalley sds at
Mon Dec 20 21:40:14 UTC 2004

On Mon, 2004-12-20 at 16:32, Browder, Tom wrote:
> But the denial is the same whether I do 'ls /etc/shadow' or 'mv
> /etc/shadow /etc/'.  Is there a way to show the different
> system calls?

I suspect that you are only getting a getattr denial on the latter for
when mv tries to stat the file, but you are never reaching the SELinux
permission checks for the rename(2) itself, because Linux DAC will block
access unless you are uid 0.  In any event, you can enable system call
auditing via the audit=1 kernel boot parameter or via auditctl -e 1.

> Here's my situation:  I have a customer who wants to audit specific
> commands on specific files and directories, i.e., who's doing what to
> whom and when.
> Is there an "easy" way to do something like that?
> Thanks, and I'll try not to bug you any more.

I suspect that you don't actually want SELinux auditing here, as it is
just of MAC permission checks, but instead want ordinary system call
auditing.  There is ongoing work to enhance the existing Linux audit
framework and userspace tools toward that end, see the linux-audit
mailing list.

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list