On 01/20/2010 11:15 AM, Joshua Brindle wrote: > Stephen Smalley wrote: >> On Wed, 2010-01-20 at 10:12 -0500, Daniel J Walsh wrote: >>> On 01/20/2010 08:51 AM, Stephen Smalley wrote: >>>> On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote: >>>>> Stephen Smalley: >>>>>> To get object information, you need to enable >>>>>> syscall auditing, and add a trivial syscall filter to turn on >>>>>> pathname >>>>>> collection by the audit subsystem. >>>>> Thanks for that tip (all of you who gave it)! I now know it is >>>>> /dev/fb that plymouthd can't access. The audit record also told me it >>>>> was owned by a regular user and mode rw-------. So now it makes >>>>> sense. A root process would need dac_override to open that file. >>>> That tip really ought to get captured in the Fedora SELinux FAQ or >>>> Guide. Dan? >>>> >>> You mean turning on full auditing if you have a suspicious DAC_OVERRIDE? >> >> More generally, if you want full pathname information for an AVC denial >> and you aren't getting it in the AVC message, you can get it by adding a >> trivial audit syscall filter and re-trying the operation, where adding a >> trivial audit syscall filter can be done by any of the three examples >> given by Steve Grubb, Eric, or myself - take your pick. It can be done >> temporarily just by running auditctl or on every boot by adding the >> entry to /etc/audit/audit.rules. >> > > Can we add it to selinuxproject.org instead (or in addition to, I guess?) Here is my blog on it. http://danwalsh.livejournal.com/34903.html -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
