On 01/20/2010 08:51 AM, Stephen Smalley wrote: > On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote: >> Stephen Smalley: >>> To get object information, you need to enable >>> syscall auditing, and add a trivial syscall filter to turn on pathname >>> collection by the audit subsystem. >> >> Thanks for that tip (all of you who gave it)! I now know it is >> /dev/fb that plymouthd can't access. The audit record also told me it >> was owned by a regular user and mode rw-------. So now it makes >> sense. A root process would need dac_override to open that file. > > That tip really ought to get captured in the Fedora SELinux FAQ or > Guide. Dan? > You mean turning on full auditing if you have a suspicious DAC_OVERRIDE?