On 02/03/2013, at 5:06 PM, Douglas Brown wrote: > I have a RHEL 6.3 machine enforcing the mls policy. When I try to set the SGID bit on a folder with with `chmod g+s folder_name`, the command's exit code is 0; nothing is logged in /var/log/messages or /var/log/audit/audit.log; but the bit isn't actually set. If I change to permissive mode with `setenforce 0`, it then works. I'm still not quite sure why chmod wasn't returning a non-zero exit code, but here's the solution: I thought that the lack of logging must be due to donotallow rules, so I turned them off with: semodule -DB Then tried the chmod and got AVCs that when piped to audit2why, indicated that I should check the capabilities allowed by policy. I did this with: sesearch --allow --source sysadm_t --target user_home_t --class file -p setattr This showed that there is in fact a rule to allow this. I then suddenly realised that I was still in the secadm_r (and therefore the secadm_t) which does not have the equivalent allow rules permitting the setattr capability on user_home_t. I changed back to the sysadm_r with the appropriate clearance to make a change to the folder; retried the chmod, and it worked. To the best of my knowledge, the secadm_r should be used *exclusively* for declassifying objects. I hope this helps someone else. :) Cheers, Doug -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
