Re: How do I figure out on what file dac_override is attempted?
On Wed, 2010-01-20 at 15:49 -0500, Daniel J Walsh wrote:
On 01/20/2010 02:50 PM, Stephen Smalley wrote:
> type=PATH msg=audit(01/20/2010 14:43:20.785:41253) : item=0
name=./capable_file/temp_file inode=841249 dev=fd:00 mode=file,644 ouid=root ogid=root
rdev=00:00 obj=unconfined_u:object_r:test_file_t:s0
Why does path begin with a ./capable_file/temp_file?
Because the audit system is collecting the pathname string that was
passed to the system call, and that pathname was a relative path. But
note the CWD record which enables you to deduce the absolute path.
--
Stephen Smalley
National Security Agency