On 01/19/2010 09:52 AM, Stephen Smalley wrote: > On Mon, 2010-01-18 at 22:05 +0100, Göran Uddeborg wrote: >> Here is another strange AVC I'm trying to understand. >> >> SETroubleshoot on one of my machines is telling me that >> >> SELinux is preventing plymouthd (plymouthd_t) "dac_override" plymouthd_t. >> >> The full message is attached. >> >> If I have understood this correctly, this means that plymouthd was >> trying to read a file as root. But the regular permissions bits of >> the file would not allow that. (Right?) >> >> I assume there is some file with wrong permission bits, which causes >> this to happen. But I can't find any indication WHAT file it was. >> Looking at the message, it seems to me it was trying a dac_override on >> itself. >> >> Is there a way to know what file was involved? > > The capability checks in Linux do not pass the object to the security > module, so SELinux only knows about the current task and the particular > capability requested. To get object information, you need to enable > syscall auditing, and add a trivial syscall filter to turn on pathname > collection by the audit subsystem. Then re-try the operation that > generated the denial. > > auditctl -s > will show the current status of the audit system. > > auditctl -a exit,always -S chroot > is an example syscall filter. > > The filter doesn't need to have anything to do with your failing > operation - it just turns on the machinery that will cause pathname > collection so that when the AVC is generated, you will also get a > SYSCALL record with the pathname info. > So there is no easy way in the kernel to get this information into the AVC without taking the overhead hit of full path auditing. > The capability checks in Linux do not pass the object to the security > module, so SELinux only knows about the current task and the particular > capability requested. Would this be insanity to ask that the object be passed to the capability check? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
