How do I figure out on what file dac_override is attempted?
Stephen Smalley
sds at tycho.nsa.gov
Wed Jan 20 15:22:07 UTC 2010
On Wed, 2010-01-20 at 10:12 -0500, Daniel J Walsh wrote:
> On 01/20/2010 08:51 AM, Stephen Smalley wrote:
> > On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote:
> >> Stephen Smalley:
> >>> To get object information, you need to enable
> >>> syscall auditing, and add a trivial syscall filter to turn on pathname
> >>> collection by the audit subsystem.
> >>
> >> Thanks for that tip (all of you who gave it)! I now know it is
> >> /dev/fb that plymouthd can't access. The audit record also told me it
> >> was owned by a regular user and mode rw-------. So now it makes
> >> sense. A root process would need dac_override to open that file.
> >
> > That tip really ought to get captured in the Fedora SELinux FAQ or
> > Guide. Dan?
> >
>
> You mean turning on full auditing if you have a suspicious DAC_OVERRIDE?
More generally, if you want full pathname information for an AVC denial
and you aren't getting it in the AVC message, you can get it by adding a
trivial audit syscall filter and re-trying the operation, where adding a
trivial audit syscall filter can be done by any of the three examples
given by Steve Grubb, Eric, or myself - take your pick. It can be done
temporarily just by running auditctl or on every boot by adding the
entry to /etc/audit/audit.rules.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list