How do I figure out on what file dac_override is attempted?
Stephen Smalley
sds at tycho.nsa.gov
Wed Jan 20 13:51:22 UTC 2010
On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote:
> Stephen Smalley:
> > To get object information, you need to enable
> > syscall auditing, and add a trivial syscall filter to turn on pathname
> > collection by the audit subsystem.
>
> Thanks for that tip (all of you who gave it)! I now know it is
> /dev/fb that plymouthd can't access. The audit record also told me it
> was owned by a regular user and mode rw-------. So now it makes
> sense. A root process would need dac_override to open that file.
That tip really ought to get captured in the Fedora SELinux FAQ or
Guide. Dan?
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list