On Mon, 2004-12-20 at 16:39, Browder, Tom wrote: > Actually, I did a 'make load', rotated my logs to clear them out, and > then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a > long denial log message (get_attr). Yes, but that is just for the stat(2) attempt (stat => getattr), not for the rename(2) call, which would never reach the SELinux checks unless you first pass the Linux DAC checks. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
