On Mon, 2004-12-20 at 16:11, Browder, Tom wrote: > I'm using the default strict policy for FC 3 SELinux for testing and > learning. > > I see denial messages when I do 'ls -l /etc/shadow', but nothing when I > try to do 'mv /etc/shadow /etc/shadow.save'. Unless your process has uid 0, then the latter command would be prevented by ordinary Linux DAC and never reaches the SELinux permission checks. Hence, you wouldn't see an audit message for it. The former command would be allowed by Linux DAC and thus reaches the SELinux checks (and audit). > Uh, I think I read somewhere that only one of a message type will be > seen in some situations, but I can't find it now. That only occurs in permissive mode, to avoid flooding the logs In enforcing mode, it should always audit each occurrence unless a rate limit is being applied. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
