SE Linux lacks proper user notification for security violations

Stephen Smalley sds at
Mon Jun 27 13:49:38 UTC 2005

On Sat, 2005-06-25 at 09:21 -0400, Valdis.Kletnieks at wrote:
> If you're not getting a "permission denied", that means that *your* code
> failed to check the return code of a syscall and call perror() (or language
> equivalent) if needed.

To be fair, SELinux will sometimes prevent such error reporting by the
application because it will have already closed stdin/stdout/stderr and
re-opened them to the null device due to a policy denial on the
inherited descriptor at exec time (upon a domain change).  Hence, the
only safe approach is to log such error reports to a log file (and
naturally, to ensure that the application has the necessary permissions
to append to the log file).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list